CVE-2026-31072
published 2026-05-19CVE-2026-31072: The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.81%
52.3th percentile
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-tech-preview | metrics-service-rhel9 | — | — |
| quay | quay-rhel8 | — | — |
| quay | quay-rhel9 | — | — |
| satellite | iop-advisor-backend-rhel9 | — | — |
| satellite | iop-host-inventory-rhel9 | — | — |
| satellite | iop-vmaas-rhel9 | — | — |
| satellite | iop-vulnerability-engine-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts targeting APScheduler's insecure deserialization via JSONSerializer or CBORSerializer — look for payloads containing dynamic module import patterns and __setstate__ invocation in JSON or CBOR-formatted data submitted to APScheduler-backed endpoints. ↗
- →Monitor for suspicious process spawning or arbitrary command execution originating from APScheduler worker processes (JSONSerializer/CBORSerializer deserialization paths), which may indicate a crafted payload was successfully deserialized. ↗
- →Focus detection on APScheduler 4.x versions specifically; the vulnerable deserializers (JSONSerializer and CBORSerializer) are only present in the 4.x branch, not in 3.x. ↗
- ·Red Hat states the vulnerable deserializers are only present in APScheduler 4.x, contradicting the CVE description which claims all versions including 3.10.x are affected. Scope detection and patching efforts accordingly. ↗
- ·The CVE description claims all versions including 3.10.x and 4.0.0a5 are affected, but Red Hat's analysis narrows the scope to 4.x only — verify which serializer classes are present in your deployed APScheduler version before assuming exposure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization
ghsa·2026-05-19
CVE-2026-31072 [CRITICAL] CWE-502 APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization
APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers
GHSA
GHSA-9cfw-f3f9-7mm7: The JSONSerializer and CBORSerializer in APScheduler (all versions including 3
ghsa_unreviewed·2026-05-19
CVE-2026-31072 [CRITICAL] CWE-502 GHSA-9cfw-f3f9-7mm7: The JSONSerializer and CBORSerializer in APScheduler (all versions including 3
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers
VulDB
APScheduler 4.0.0a5 JSONSerializer/CBORSerializer unmarshal_object deserialization
vuldb·2026-05-19
CVE-2026-31072 [CRITICAL] APScheduler 4.0.0a5 JSONSerializer/CBORSerializer unmarshal_object deserialization
A vulnerability identified as critical has been detected in APScheduler 4.0.0a5. Affected by this issue is the function unmarshal_object of the component JSONSerializer/CBORSerializer. Performing a manipulation results in deserialization.
This vulnerability is known as CVE-2026-31072. Remote exploitation of the attack is possible. No exploit is available.
Red Hat
apscheduler: APScheduler: Remote Code Execution via Insecure Deserialization
vendor_redhat·2026-05-19·CVSS 8.8
CVE-2026-31072 [HIGH] CWE-502 apscheduler: APScheduler: Remote Code Execution via Insecure Deserialization
apscheduler: APScheduler: Remote Code Execution via Insecure Deserialization
A flaw was found in APScheduler, affecting its JSONSerializer and CBORSerializer components. This vulnerability, known as insecure deserialization, allows a remote attacker to execute arbitrary code on the system. By sending a specially crafted data payload, an attacker can manipulate the application to run malicious commands, potentially leading to a complete compromise of the affected system.
Statement: Despite the CVEORG report of this vulnerability, the affected deserializers are only present in 4.x versions of APScheduler. Red Hat does not ship the affected versions.
Package: ansible-automation-platform-tech-preview/metrics-service-rhel9 (Red Hat Ansible Automation Platform 2) - Not affected
Package: pyth
No detection rules found.
No public exploits indexed.
https://gist.github.com/nedlir/11fb77f35a59cbba73392a086b02a9c6https://github.com/agronholm/apschedulerhttps://access.redhat.com/security/cve/CVE-2026-31072https://bugzilla.redhat.com/show_bug.cgi?id=2479907https://gist.github.com/nedlir/11fb77f35a59cbba73392a086b02a9c6https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31072.json
2026-05-19
Published