CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-89GG-P5R5-Q6R4

GHSA-89gg-p5r5-q6r4: Insecure Pickle Deserialization RCE in MONAI Auto3DSeg

Alon Barad
Alon Barad
Software Engineer

Apr 7, 2026·6 min read·19 visits

Executive Summary (TL;DR)

MONAI versions prior to 1.5.2 are vulnerable to Remote Code Execution via insecure pickle deserialization in the `algo_from_pickle` function. Supplying a maliciously crafted `.pkl` file results in arbitrary system command execution.

The Medical Open Network for AI (MONAI) framework contains a critical remote code execution vulnerability in the Auto3DSeg utility. The `algo_from_pickle` function insecurely deserializes untrusted data using Python's `pickle` module, allowing an attacker who can supply a crafted `.pkl` file to execute arbitrary commands within the context of the application process. This vulnerability affects all versions of the MONAI PyPI package prior to 1.5.2.

Vulnerability Overview

The Medical Open Network for AI (MONAI) framework exposes an insecure deserialization vulnerability (CWE-502) in its Auto3DSeg utility module. The vulnerability resides specifically within the monai/auto3dseg/utils.py file, which contains the algo_from_pickle function. This function is designed to load algorithm configurations or state representations from serialized Python pickle files.

The core issue stems from the application accepting serialized data from potentially untrusted sources and passing it directly to the pickle.loads() function without prior validation or cryptographic signature verification. Python's pickle module is explicitly documented as unsafe for handling untrusted data, as the deserialization process allows for the execution of arbitrary code via specifically crafted object reconstruction instructions.

Successful exploitation requires the attacker to supply a malicious .pkl file to the system and trigger a workflow that invokes the algo_from_pickle function. While the CVSS attack complexity is marked as high due to the required file delivery mechanism, the resulting impact is total compromise of the application environment, yielding arbitrary remote code execution.

Root Cause Analysis

The root cause of this vulnerability is the implementation of an unsafe deserialization sink operating on user-controllable file inputs. The algo_from_pickle function reads the raw bytes from a specified file path and immediately supplies them to the pickle.loads() method.

Python's pickle protocol defines a custom serialization format that includes opcodes for reconstructing Python object hierarchies. When the pickle.loads() function encounters an object defining the __reduce__ method, it interprets the returned tuple as a callable and its arguments, executing the callable to construct the object. An attacker leverages this specification by constructing a class where the __reduce__ method returns a system command execution function, such as os.system or subprocess.call.

The MONAI codebase lacks any defensive mechanisms around this operation. There is no implementation of a restricted Unpickler class to limit the modules and functions that can be dynamically loaded, nor is there a cryptographic integrity check (such as HMAC) to ensure the .pkl file originated from a trusted source. Consequently, the deserialization engine blindly executes the attacker's payload during the parsing phase, before the application logic even interacts with the reconstructed object.

Code Analysis

Analysis of the monai/auto3dseg/utils.py module reveals the direct path from file input to code execution. The algo_from_pickle function accepts a pkl_filename string, opens the file in binary read mode, and extracts the contents.

def algo_from_pickle(pkl_filename: str, template_path: PathLike | None = None, **kwargs: Any) -> Any:
    # ... configuration and path handling ...
    with open(pkl_filename, "rb") as f_pi:
        data_bytes = f_pi.read()
    
    # Vulnerability: Raw bytes are passed to pickle.loads without validation
    data = pickle.loads(data_bytes)
    # ... further processing of the data object ...

The vulnerability manifests exactly at the pickle.loads(data_bytes) call. Because the data_bytes variable contains the raw byte stream from the file system, any manipulation of the file at pkl_filename directly influences the deserialization engine.

Remediation for this class of vulnerability typically requires replacing pickle with a safer serialization format, such as JSON or safetensors, which do not support executable code reconstruction. In contexts where complex Python object states must be saved, developers must implement a custom pickle.Unpickler that overrides the find_class method to strictly whitelist permitted modules and classes, or ensure the file loading operation is tightly constrained to cryptographically signed files.

Exploitation

Exploiting this vulnerability requires crafting a malicious serialized object and delivering it to the target system. The attacker authors a Python script defining a class with a __reduce__ method containing the payload.

import pickle
import subprocess
 
class MaliciousAlgo:
    def __reduce__(self):
        return (subprocess.call, (['calc.exe'],))
 
malicious_algo_bytes = pickle.dumps(MaliciousAlgo())
 
attack_data = {
    "algo_bytes": malicious_algo_bytes,
}
 
with open("attack_algo.pkl", "wb") as f:
    f.write(pickle.dumps(attack_data))

The attacker then introduces attack_algo.pkl into the target environment. The delivery mechanism depends heavily on the application's specific implementation of MONAI. The file could be uploaded via an exposed web interface handling algorithm configurations, transferred via a shared network drive, or injected into a machine learning pipeline repository.

Once the file is on the filesystem and the application logic triggers algo_from_pickle("attack_algo.pkl"), the deserialization process fires. The subprocess.call instruction executes immediately, spawning the malicious process before the algo_from_pickle function completes its execution.

Impact Assessment

The CVSS v3.1 vector evaluates to 8.3 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H). This score reflects the severe consequences of successful exploitation balanced against the specific prerequisites required to trigger the payload.

The attack vector is network-based (AV:N), assuming the attacker can introduce the malicious file through a network interface or data pipeline. The complexity is high (AC:H) and requires high privileges (PR:H) because the attacker must navigate the target environment's access controls to overwrite or supply the target .pkl file. User interaction (UI:R) is required to trigger the actual processing of the algorithm file.

The scope is changed (S:C) because the vulnerability allows the attacker to break out of the application's intended operational boundaries. Exploitation results in total compromise of Confidentiality, Integrity, and Availability (C:H/I:H/A:H) for the host system, constrained only by the operating system privileges assigned to the Python process executing the MONAI framework.

Remediation

The primary remediation for this vulnerability is upgrading the MONAI package to version 1.5.2 or later. The patched version alters the mechanism by which algorithm states are loaded, mitigating the insecure deserialization flaw.

Organizations unable to immediately upgrade must implement strict access controls around the storage locations of .pkl files used by the MONAI application. Ensure that directory permissions prevent unauthorized write or overwrite operations. Validating the origin and integrity of files before they enter the data pipeline drastically reduces the likelihood of exploitation.

Security teams should conduct a broader audit of the application codebase to identify any other instances of unsafe deserialization. This includes searching for unvalidated calls to pickle.loads(), pickle.load(), or torch.load() without the weights_only=True parameter, which present identical attack vectors in machine learning environments.

Official Patches

Project MONAIMONAI Release 1.5.2
Project MONAIOfficial Security Advisory

Technical Appendix

CVSS Score
8.3/ 10
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Affected Systems

MONAI PyPI PackageMONAI Auto3DSeg Utility

Affected Versions Detail

Product
Affected Versions
Fixed Version
monai
Project MONAI
< 1.5.21.5.2
AttributeDetail
CWE IDCWE-502
Vulnerability ClassDeserialization of Untrusted Data
CVSS v3.1 Base Score8.3
Attack VectorNetwork
ImpactRemote Code Execution (RCE)
Exploit StatusProof of Concept Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059Command and Scripting Interpreter
Execution
CWE-502
Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Known Exploits & Detection

Provided PoCProof of concept demonstrating the use of __reduce__ to execute subprocess.call.

Vulnerability Timeline

Vulnerability published in the GitHub Advisory Database
2026-04-07
Fix released in MONAI version 1.5.2
2026-04-07
PoC code disclosed
2026-04-07

References & Sources

  • [1]GitHub Advisory: GHSA-89GG-P5R5-Q6R4
  • [2]Official Security Advisory
  • [3]MONAI Release 1.5.2
  • [4]CWE-502 Detail

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•GHSA-VJC7-JRH9-9J86
10.0

Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints

An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.

Amit Schendel
Amit Schendel
1 views•5 min read
•about 1 hour ago•CVE-2026-55790
7.4

CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget

A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.

Alon Barad
Alon Barad
1 views•7 min read
•about 2 hours ago•CVE-2026-55793
5.9

CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter

CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.

Alon Barad
Alon Barad
2 views•8 min read
•about 2 hours ago•CVE-2026-55794
8.7

CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS

Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 3 hours ago•GHSA-CGFV-JRFP-2R7V
8.5

GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.

Amit Schendel
Amit Schendel
2 views•5 min read
•about 3 hours ago•GHSA-QRWJ-VH9X-GW5V
8.0

GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.

Amit Schendel
Amit Schendel
3 views•5 min read