CVE-2026-31228: Adversarial Robustness Toolbox RCE Flaw

CVE-2026-31228 Overview

CVE-2026-31228 is a remote code execution vulnerability in the Adversarial Robustness Toolbox (ART) through version 1.20.1. The flaw resides in the Kubeflow component, specifically the robustness evaluation function for PyTorch models. The function passes user-supplied strings for the LossFn and Optimizer parameters directly into Python's eval() without sanitization. An attacker who controls these inputs can execute arbitrary Python code on the system running the ART evaluation. The issue is tracked under CWE-94: Improper Control of Generation of Code.

Critical Impact

Unauthenticated attackers can achieve full remote code execution on machine learning evaluation hosts, leading to complete system compromise.

Affected Products

• Adversarial Robustness Toolbox (ART) versions up to and including 1.20.1
• ART Kubeflow component (robustness evaluation for PyTorch models)
• Any ML pipeline integrating the vulnerable ART evaluation function

Discovery Timeline

• 2026-05-12 - CVE-2026-31228 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-31228

Vulnerability Analysis

The Adversarial Robustness Toolbox is an open-source library for evaluating and defending machine learning models against adversarial attacks. The Kubeflow integration exposes a robustness evaluation routine for PyTorch models that accepts configuration parameters as strings. Two of these parameters, LossFn and Optimizer, are passed to Python's built-in eval() function so the toolbox can dynamically resolve them into callable objects.

Because eval() interprets any valid Python expression, supplying a crafted string causes immediate code execution under the privileges of the ART process. The function performs no allowlisting, no type validation, and no sandboxing of the evaluated expression. The vulnerability is reachable over the network when the Kubeflow pipeline accepts evaluation parameters from external sources or untrusted users.

Root Cause

The root cause is unsafe dynamic evaluation of user-supplied input. The implementation conflates string-to-object resolution with arbitrary expression evaluation. A safe design would use an explicit mapping from known names to callables, or restrict resolution to attributes of trusted modules such as torch.nn and torch.optim.

Attack Vector

An attacker submits a payload to the Kubeflow pipeline parameter handling the LossFn or Optimizer field. Instead of a legitimate identifier such as CrossEntropyLoss, the attacker provides a Python expression that imports os and invokes system(), opens a reverse shell, or writes a malicious file. When the robustness evaluation runs, eval() executes the payload in the context of the worker pod or host. Refer to the Adversarial Robustness Toolbox repository for the affected source.

Detection Methods for CVE-2026-31228

Indicators of Compromise

• Unexpected child processes spawned from Python or PyTorch worker processes inside Kubeflow pods
• Outbound network connections from ART evaluation containers to unknown hosts
• Suspicious values containing parentheses, __import__, os.system, or subprocess in LossFn or Optimizer pipeline parameters
• New files written to /tmp, /var/tmp, or model artifact directories during evaluation runs

Detection Strategies

• Inspect Kubeflow pipeline run parameters and audit logs for non-identifier strings supplied to ART evaluation steps
• Monitor ART worker pods for process lineage anomalies where python spawns shells, network utilities, or compilers
• Apply static analysis to in-house code that wraps ART to flag direct propagation of HTTP or RPC inputs into evaluation parameters

Monitoring Recommendations

• Forward Kubernetes audit logs and container runtime telemetry to a centralized analytics platform for correlation
• Alert on egress traffic from ML training and evaluation namespaces that deviates from baseline destinations
• Track invocations of eval, exec, and compile in Python runtime tracing where supported

How to Mitigate CVE-2026-31228

Immediate Actions Required

• Restrict access to Kubeflow pipelines that invoke ART robustness evaluation to trusted users and service accounts
• Validate and allowlist LossFn and Optimizer parameter values before they reach the ART evaluation function
• Isolate ART evaluation workloads in dedicated namespaces with strict network egress policies
• Review historical pipeline runs for parameter values that contain Python expressions rather than simple identifiers

Patch Information

No fixed version is referenced in the published advisory at the time of writing. Monitor the Adversarial Robustness Toolbox repository for releases addressing CVE-2026-31228 and apply updates as soon as they are available. Additional context is documented in the CVE-2026-31228 disclosure notes.

Workarounds

• Replace the eval() call in the affected evaluation function with an explicit dictionary mapping permitted names to PyTorch loss and optimizer classes
• Disable or remove the Kubeflow robustness evaluation component if it is not required in your environment
• Run ART evaluations in ephemeral, network-restricted containers with non-root users and read-only root filesystems
• Enforce admission controller policies in Kubernetes that block pipeline submissions containing suspicious parameter patterns

# Configuration example: restrict egress from the ART evaluation namespace
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: art-eval-deny-egress
  namespace: art-evaluation
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
EOF