CVE-2026-31238 Overview
CVE-2026-31238 is an insecure deserialization vulnerability [CWE-502] in the Ludwig machine learning framework through version 0.10.4. The flaw resides in the model serving component invoked by the ludwig serve command. Ludwig loads model weight files using PyTorch's torch.load() function without setting the weights_only=True parameter. This default behavior allows arbitrary Python objects to be deserialized through the pickle module. An attacker who supplies a crafted PyTorch model file can achieve arbitrary code execution on the host running the Ludwig model server.
Critical Impact
Remote attackers can execute arbitrary code on Ludwig model servers by providing a malicious model file, with no authentication or user interaction required.
Affected Products
- Ludwig framework versions up to and including 0.10.4
- Ludwig model serving component (ludwig serve)
- Deployments using PyTorch model weight loading via torch.load()
Discovery Timeline
- 2026-05-12 - CVE-2026-31238 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-31238
Vulnerability Analysis
The vulnerability stems from unsafe use of PyTorch's serialization API inside the Ludwig model serving pipeline. When a user starts a model server with ludwig serve, the framework loads model weight files from disk using torch.load(). The function defaults to full pickle-based deserialization unless weights_only=True is explicitly passed.
Pickle deserialization in Python can invoke arbitrary callables through the __reduce__ mechanism. A maliciously crafted model file can therefore embed Python objects whose reconstruction triggers shell commands, network connections, or arbitrary library calls. The Ludwig serving process executes this code with the privileges of the user running the server.
Because Ludwig is commonly deployed in machine learning operations pipelines, affected hosts often hold training data, credentials for cloud object storage, and access to internal model registries. Successful exploitation gives an attacker a foothold inside the ML infrastructure.
Root Cause
The root cause is the absence of the weights_only=True argument in torch.load() calls within the model serving code path. PyTorch added the weights_only parameter specifically to restrict deserialization to tensors and primitive types, blocking arbitrary object reconstruction. Ludwig does not enable this safe mode, leaving pickle deserialization fully active for any model artifact loaded at serving time.
Attack Vector
The attack vector is network reachable through any workflow that causes the Ludwig server to load an attacker-controlled model file. This includes shared model registries, public model repositories, supply chain injection into MLOps pipelines, and any feature that downloads or accepts model artifacts from remote sources. No prior authentication to the server is required when the loading path consumes external artifacts.
The vulnerability is described in prose only. See the GitHub Ludwig Repository and the Notion CVE-2026-31238 Details for additional technical context.
Detection Methods for CVE-2026-31238
Indicators of Compromise
- Unexpected child processes spawned by the Ludwig server process during model load, such as sh, bash, python, or curl.
- Outbound network connections from the Ludwig serving host to unknown external addresses shortly after a model is loaded.
- New or modified files in user home directories, cron locations, or SSH authorized_keys following a ludwig serve invocation.
- Model artifact files arriving from untrusted sources or with modification timestamps inconsistent with the training pipeline.
Detection Strategies
- Monitor process trees for the Ludwig serving process and alert on any non-Python child processes that execute system utilities or shells.
- Inspect PyTorch model files for embedded pickle opcodes referencing dangerous globals such as os.system, subprocess, eval, or exec before deployment.
- Apply behavioral analytics that correlate model file ingestion events with subsequent process and network activity on the same host.
Monitoring Recommendations
- Forward process execution, file integrity, and network telemetry from ML serving hosts to a centralized analytics pipeline.
- Track outbound traffic from inference servers and baseline expected destinations to flag anomalous egress.
- Audit model registry pulls and record which model hashes are loaded by each ludwig serve instance.
How to Mitigate CVE-2026-31238
Immediate Actions Required
- Restrict ludwig serve to load only model artifacts produced by trusted, authenticated build pipelines.
- Isolate Ludwig serving hosts in network segments without access to sensitive credentials or production data stores.
- Remove untrusted model files from shared storage and rotate any credentials accessible to compromised serving hosts.
Patch Information
No fixed version is referenced in the published advisory at the time of writing. Track the GitHub Ludwig Repository for an updated release that enables weights_only=True in the model serving code path, and upgrade once available.
Workarounds
- Run ludwig serve only against model files generated and stored within trusted infrastructure with cryptographic integrity checks.
- Execute the Ludwig server as a low-privilege user inside a container or sandbox with restricted filesystem and network access.
- Apply egress filtering to block outbound connections from serving hosts to destinations outside the approved allowlist.
- For internal forks, patch torch.load() call sites to pass weights_only=True and reject any model file that requires legacy pickle loading.
# Configuration example: run ludwig serve as an unprivileged user inside an isolated container
docker run --rm \
--user 10001:10001 \
--read-only \
--cap-drop=ALL \
--network=ludwig-isolated \
-v /trusted/models:/models:ro \
ludwig-ai/ludwig:latest \
serve --model_path /models/verified_model
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
