CVE-2026-31072: APScheduler RCE Vulnerability

CVE-2026-31072 Overview

CVE-2026-31072 is an insecure deserialization vulnerability [CWE-502] in the Advanced Python Scheduler (APScheduler) library. The flaw affects the JSONSerializer and CBORSerializer components across all versions, including the 3.10.x branch and the 4.0.0a5 pre-release. The unmarshal_object function dynamically imports arbitrary Python modules and invokes __setstate__ on attacker-controlled classes. Any application that deserializes untrusted JSON or Concise Binary Object Representation (CBOR) input through these serializers can be coerced into executing arbitrary code. Successful exploitation grants attackers the privileges of the host process, often resulting in full system compromise.

Critical Impact

Remote attackers can achieve unauthenticated code execution by submitting a crafted JSON or CBOR payload to any APScheduler-backed endpoint that processes external input.

Affected Products

• APScheduler 3.10.x (all releases)
• APScheduler 4.0.0a5
• Applications embedding the JSONSerializer or CBORSerializer from APScheduler

Discovery Timeline

• 2026-05-19 - CVE-2026-31072 published to the National Vulnerability Database (NVD)
• 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-31072

Vulnerability Analysis

The vulnerability resides in the unmarshal_object routine used by both the JSONSerializer and CBORSerializer. When deserializing a payload, the function reads a class path string from the input and uses Python's dynamic import machinery to load that class. It then constructs an instance and calls __setstate__ with attacker-supplied state data. This pattern permits instantiation of any class reachable in the running Python environment, including classes with side-effectful constructors or __setstate__ methods. The result is a classic insecure deserialization primitive that bypasses the safety expectations associated with text-based formats like JSON.

Root Cause

The root cause is the implicit trust placed in serialized class identifiers. The serializer treats the type metadata embedded in the payload as authoritative and resolves it through importlib, without an allowlist of safe classes. Because __setstate__ can invoke arbitrary methods on rehydrated objects, the deserialization step effectively becomes a remote method dispatch primitive controlled by the attacker.

Attack Vector

An attacker delivers a crafted JSON or CBOR document to any endpoint that feeds untrusted bytes into JSONSerializer.deserialize or CBORSerializer.deserialize. Common exposure points include job submission APIs, message queue consumers, and persistence layers that round-trip scheduler state. Exploitation requires no authentication or user interaction when the deserializer sits behind a publicly reachable interface. Attackers typically chain the primitive with a Python class that performs command execution during state restoration to obtain a shell. The GitHub Gist proof of concept demonstrates the payload structure, and the APScheduler repository hosts the vulnerable source.

Detection Methods for CVE-2026-31072

Indicators of Compromise

• Inbound HTTP requests or message payloads containing JSON fields that reference fully qualified Python class paths such as os.system, subprocess.Popen, or builtins.eval.
• CBOR payloads delivered to scheduler endpoints that include type tags pointing at non-APScheduler modules.
• Unexpected child processes spawned by the Python interpreter hosting APScheduler, especially shells or network utilities.
• New scheduled jobs or persisted scheduler state referencing classes outside the application's normal allowlist.

Detection Strategies

• Inspect application logs for deserialization errors or stack traces originating in apscheduler.serializers.json or apscheduler.serializers.cbor.
• Apply static analysis to identify code paths that invoke JSONSerializer or CBORSerializer on data sourced from untrusted inputs.
• Use endpoint telemetry to correlate Python process activity with outbound network connections initiated immediately after job submission events.

Monitoring Recommendations

• Forward APScheduler and web framework logs to a centralized analytics platform and alert on repeated deserialization exceptions.
• Monitor process lineage on hosts running APScheduler to flag unexpected execution of shells, interpreters, or living-off-the-land binaries.
• Track ingress traffic volume and payload entropy on scheduler endpoints to surface anomalous serialized payloads.

How to Mitigate CVE-2026-31072

Immediate Actions Required

• Audit all application code paths that consume external input through APScheduler serializers and disable those paths until a patched release is deployed.
• Restrict network access to scheduler endpoints so only authenticated, internal services can submit jobs.
• Rotate credentials and secrets accessible to any host that may have processed untrusted serialized payloads.
• Review scheduler persistence stores for unexpected job definitions and remove suspicious entries.

Patch Information

No fixed version is referenced in the published advisory at the time of writing. Track the APScheduler GitHub repository for an upstream release that removes dynamic class resolution from unmarshal_object or introduces a strict allowlist.

Workarounds

• Replace JSONSerializer and CBORSerializer with a serializer that only accepts primitive types and validates schema before reconstruction.
• Wrap deserialization calls with an allowlist check that rejects any class path outside a known-safe set of APScheduler job classes.
• Terminate untrusted input at an application boundary and require signed payloads using HMAC verification before deserialization.
• Run APScheduler workers under a least-privilege service account inside a sandbox or container with no outbound network access.

# Configuration example: block external traffic to a scheduler service with iptables
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP