CVE-2026-31219 Overview
CVE-2026-31219 is an insecure deserialization vulnerability [CWE-502] in the _load_model() function of the neural_magic_training.py script in the optimate project by nebuly-ai. The flaw affects commit a6d302f912b481c94370811af6b11402f51d377f dated 2024-07-21. The function calls torch.load() on a user-supplied model file without setting weights_only=True, allowing the Python Pickle module to deserialize arbitrary objects. A remote attacker who supplies a crafted .pt or .pth model file can execute arbitrary code on the victim's system during model loading.
Critical Impact
Loading an attacker-controlled PyTorch model file triggers arbitrary code execution under the privileges of the user running the training script.
Affected Products
- optimate project by nebuly-ai (commit a6d302f912b481c94370811af6b11402f51d377f, 2024-07-21)
- neural_magic_training.py script invoked with the --model argument
- Environments using torch.load() without weights_only=True
Discovery Timeline
- 2026-05-12 - CVE-2026-31219 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-31219
Vulnerability Analysis
The _load_model() function accepts a file path from the --model command-line argument and passes it directly to torch.load(). PyTorch's torch.load() historically defaults to unpickling the file contents, which invokes arbitrary Python callables defined inside the serialized object graph. Without weights_only=True, any __reduce__ method embedded in a malicious checkpoint executes during deserialization. The attack runs in the same process context as the training workflow, giving the attacker access to local files, credentials, and network resources available to the user.
Root Cause
The root cause is the use of Python's Pickle-based loader on untrusted input. torch.load() relies on pickle to reconstruct tensors and supporting objects. When weights_only=True is not specified, the loader permits any class to be instantiated, including classes that execute commands through os.system, subprocess.Popen, or eval. The script provides no signature validation, path restriction, or sandboxing before invoking the loader.
Attack Vector
An attacker hosts or distributes a crafted .pt or .pth file containing a Pickle payload whose __reduce__ method runs shell commands. The victim invokes the training script with --model <attacker_file>, and the payload executes during the torch.load() call. Delivery vectors include public model hubs, shared storage, supply-chain compromise of model repositories, and phishing links. The vulnerability is exploited at low complexity and requires only that the victim load the file.
No verified public proof-of-concept code is available. The exploitation pattern follows the documented PyTorch pickle deserialization technique. See the GitHub Repository for Optimate for the affected source.
Detection Methods for CVE-2026-31219
Indicators of Compromise
- Unexpected child processes spawned by Python interpreters running neural_magic_training.py
- .pt or .pth files originating from untrusted sources, public hubs, or unsigned channels
- Outbound network connections from training hosts to unfamiliar domains immediately after model load
- Modifications to user profile scripts, SSH keys, or cron entries during or after model loading
Detection Strategies
- Inspect Python invocations for torch.load( calls that omit the weights_only=True argument using static code analysis (for example, Bandit or Semgrep rules).
- Hunt for process trees where python spawns sh, bash, curl, wget, or powershell shortly after reading a .pt or .pth file.
- Compare hashes of loaded model files against an allow-list of approved checkpoints.
Monitoring Recommendations
- Enable command-line and process-creation auditing on hosts that run ML training workloads.
- Forward Python audit hook events and EDR telemetry to a centralized SIEM for correlation.
- Alert on torch.load activity that precedes outbound connections to non-corporate IP ranges.
How to Mitigate CVE-2026-31219
Immediate Actions Required
- Stop loading .pt or .pth files from untrusted sources with the affected optimate commit.
- Patch _load_model() to pass weights_only=True to torch.load() or migrate to safetensors for checkpoint storage.
- Audit existing checkpoints and rebuild any sourced from external repositories.
- Restrict the training script's runtime privileges and isolate it inside a container or dedicated user account.
Patch Information
No official fix commit is listed in the NVD record at the time of publication. Maintainers and downstream users should modify _load_model() in neural_magic_training.py to enforce weights_only=True, validate file provenance, and reject pickle-only checkpoints. Refer to the GitHub Repository for Optimate and the Notion CVE-2026-31219 Details for upstream status.
Workarounds
- Convert trusted checkpoints to the safetensors format, which does not execute code during loading.
- Run model-loading code inside a sandboxed environment with no network egress and minimal filesystem access.
- Apply a wrapper that rejects any torch.load() call missing weights_only=True through a Python audit hook.
# Configuration example: enforce safe loading and block untrusted checkpoints
export PYTHONNODEBUGRANGES=1
python -c "import torch; torch.load('model.pt', weights_only=True)"
# Reject files not on the allow-list
sha256sum -c approved_models.sha256 || exit 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
