CVE-2026-31218

HIGH

nebuly-ai optimate - Remote Code Execution via Insecure Pickle Deserialization in _load_model()

Title source: llm

Description

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When loading a model state dictionary from a state_dict.pt file via torch.load(), the function does not enable the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects through the Pickle module. A remote attacker can exploit this by providing a maliciously crafted state_dict.pt file within a directory specified via the --model argument, leading to arbitrary code execution during the deserialization process on the victim's system.

References (2)

Core 2

Core References

https://github.com/nebuly-ai/optimate

View Writeup ZIP pw:eip

https://www.notion.so/CVE-2026-31218-35d1e139318881839bc8cf6007be2c76

Scores

CVSS v3 8.8

EPSS 0.0056

EPSS Percentile 41.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Published May 12, 2026

Tracked Since May 12, 2026