CVE 8.8 HIGH

CVE-2026-31223_CVE-2026-31223

May 15, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python's pickle module is inherently dangerous for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

AI Analysis

Insecure deserialization vulnerability in the snorkel library allowing for arbitrary code execution

Basic Information

ID CVE-2026-31223

Source mitre

Published May 12, 2026 at 00:00

Modified May 15, 2026 at 18:05

Affected Product

Vendor snorkel-team

Product snorkel

Version v0.10.0

Affected Versions n/a n/a n/a

CWE Classification

CWE-502

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor snorkel-team

Product snorkel

Version v0.10.0

References

{
    "lastseen": "",
    "description": "The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python's pickle module is inherently dangerous for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.",
    "published": "2026-05-12T00:00:00.000Z",
    "modified": "2026-05-15T18:05:33.607Z",
    "type": "cve",
    "title": "CVE-2026-31223",
    "source": "mitre",
    "references": "https://github.com/snorkel-team/snorkel\nhttps://www.notion.so/CVE-2026-31223-35d1e1393188811ab1d0e4a8a2e67992",
    "id": "CVE-2026-31223",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "snorkel",
    "version": "v0.10.0",
    "vendor": "snorkel-team",
    "ai_description": "Insecure deserialization vulnerability in the snorkel library allowing for arbitrary code execution",
    "ai_severity": "High",
    "ai_vendor": "snorkel-team",
    "ai_product": "snorkel",
    "ai_version": "v0.10.0",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply