Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58659

CVE-2026-58659: PyTorch Lightning RCE Vulnerability

CVE-2026-58659 is a remote code execution vulnerability in PyTorch Lightning through version 2.6.5 that allows attackers to execute arbitrary code via malicious checkpoint files. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-58659 Overview

CVE-2026-58659 is a remote code execution vulnerability in PyTorch Lightning through version 2.6.5. The flaw resides in the _load_state function within src/lightning/pytorch/core/saving.py, which imports and executes attacker-controlled module names from the checkpoint _instantiator hyperparameter. Attackers craft malicious checkpoint files that bypass the weights_only=True protection introduced to mitigate unsafe deserialization. When a victim calls LightningModule.load_from_checkpoint, the specified instantiator path resolves to arbitrary Python code and executes in the loading process. The issue is tracked under [CWE-470: Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)] and was fixed in commit d710d68.

Critical Impact

Loading an untrusted .ckpt file in PyTorch Lightning ≤ 2.6.5 executes arbitrary Python code in the context of the user running the model, defeating the weights_only=True safeguard.

Affected Products

  • PyTorch Lightning (all versions through 2.6.5)
  • pytorch_lightning Python package consumers of LightningModule.load_from_checkpoint
  • Fixed in the Lightning-AI/pytorch-lightning commit d710d68

Discovery Timeline

  • 2026-07-15 - CVE-2026-58659 published to NVD
  • 2026-07-15 - Last updated in NVD database

Technical Details for CVE-2026-58659

Vulnerability Analysis

PyTorch Lightning persists model state and hyperparameters inside checkpoint files. Among the stored hyperparameters, an _instantiator key can reference the dotted import path of a callable used to reconstruct the module. When _load_from_checkpoint processes the checkpoint, it passes this attacker-controlled string to importlib, which imports the target module and invokes it. Because the import happens before any validation of the resolved object, side-effectful module-level code executes immediately. This behavior sidesteps the weights_only=True flag that recent PyTorch releases use to block pickle-based gadget chains, since the code path is not part of tensor deserialization.

Root Cause

The root cause is unsafe reflection. The loader trusts checkpoint-supplied identifiers to name importable Python modules without maintaining an allowlist. Any string that resolves through importlib becomes executable content.

Attack Vector

Exploitation requires a victim to load a malicious checkpoint file. This commonly occurs when researchers download pretrained weights from public model hubs, shared object storage, or collaborators. The vulnerability requires user interaction but no authentication, and the attacker controls only the checkpoint payload.

python
# Patch excerpt from src/lightning/pytorch/core/saving.py
# the older shall be on the top
CHECKPOINT_PAST_HPARAMS_KEYS = ("hparams", "module_arguments")  # used in 0.7.6

# instantiator import paths trusted to resolve from a checkpoint,
# to prevent code execution (#21822)
_ALLOWED_INSTANTIATORS = {
    "lightning.pytorch.cli.instantiate_module",
    "pytorch_lightning.cli.instantiate_module",
}


def _load_from_checkpoint(
    cls: Union[type["pl.LightningModule"], type["pl.LightningDataModule"]],
    ...
):
    ...

Source: Lightning-AI/pytorch-lightning commit d710d68. The patch introduces an _ALLOWED_INSTANTIATORS set and rejects any _instantiator value outside that allowlist.

Detection Methods for CVE-2026-58659

Indicators of Compromise

  • Checkpoint files (.ckpt, .pt) whose hyperparameters contain an _instantiator key referencing a module outside lightning.pytorch.cli.instantiate_module or pytorch_lightning.cli.instantiate_module.
  • Python processes spawning unexpected child processes (shells, curl, wget) immediately after calls to LightningModule.load_from_checkpoint.
  • Outbound network connections from ML training or inference hosts to unknown hosts shortly after model load.

Detection Strategies

  • Statically scan checkpoint archives for suspicious _instantiator values by unpickling only the hyperparameter dictionary in a sandbox.
  • Instrument Python importlib in ML pipelines to log any dynamic import triggered from pytorch_lightning.core.saving.
  • Alert on process lineage where python executes non-ML binaries as descendants of Jupyter, Airflow, or Kubeflow workers.

Monitoring Recommendations

  • Track the installed pytorch-lightning version across build systems and training clusters, flagging any release earlier than the commit d710d68 fix.
  • Monitor model registries and object storage for newly uploaded checkpoints from untrusted authors.
  • Baseline outbound egress from GPU workloads and alert on deviations that coincide with checkpoint load events.

How to Mitigate CVE-2026-58659

Immediate Actions Required

  • Upgrade PyTorch Lightning to a release containing commit d710d68 or newer.
  • Treat all third-party checkpoints as untrusted code until they are validated in an isolated environment.
  • Audit shared model repositories and remove checkpoints whose provenance cannot be verified.
  • Restrict the execution environment of load_from_checkpoint calls to non-privileged, network-restricted containers.

Patch Information

The fix is available in the Lightning-AI repository at commit d710d68, delivered through pull request #21832 which addresses issue #21822. The VulnCheck advisory contains additional exploitation context. The patch enforces an allowlist of instantiator import paths and refuses any other value stored in the checkpoint.

Workarounds

  • Load checkpoints only inside disposable sandboxes such as ephemeral containers or gVisor-isolated processes.
  • Preprocess checkpoint files to strip or overwrite the _instantiator hyperparameter before invoking load_from_checkpoint.
  • Require cryptographic signature verification for internal checkpoints before allowing them into training or inference pipelines.
bash
# Upgrade to a patched PyTorch Lightning build (post-commit d710d68)
pip install --upgrade "pytorch-lightning>2.6.5"

# Quick pre-load inspection: reject checkpoints referencing untrusted instantiators
python - <<'PY'
import sys, torch
ALLOWED = {
    "lightning.pytorch.cli.instantiate_module",
    "pytorch_lightning.cli.instantiate_module",
}
ckpt = torch.load(sys.argv[1], map_location="cpu", weights_only=False)
inst = (ckpt.get("hyper_parameters") or {}).get("_instantiator")
if inst and inst not in ALLOWED:
    raise SystemExit(f"Untrusted _instantiator: {inst}")
print("Checkpoint instantiator OK")
PY

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.