cbcvebase.
CVE-2026-31072
published 2026-05-19

CVE-2026-31072: The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.81%
52.3th percentile
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers

Affected

7 ranges
VendorProductVersion rangeFixed in
ansible-automation-platform-tech-previewmetrics-service-rhel9
quayquay-rhel8
quayquay-rhel9
satelliteiop-advisor-backend-rhel9
satelliteiop-host-inventory-rhel9
satelliteiop-vmaas-rhel9
satelliteiop-vulnerability-engine-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts targeting APScheduler's insecure deserialization via JSONSerializer or CBORSerializer — look for payloads containing dynamic module import patterns and __setstate__ invocation in JSON or CBOR-formatted data submitted to APScheduler-backed endpoints.
  • Monitor for suspicious process spawning or arbitrary command execution originating from APScheduler worker processes (JSONSerializer/CBORSerializer deserialization paths), which may indicate a crafted payload was successfully deserialized.
  • Focus detection on APScheduler 4.x versions specifically; the vulnerable deserializers (JSONSerializer and CBORSerializer) are only present in the 4.x branch, not in 3.x.
  • ·Red Hat states the vulnerable deserializers are only present in APScheduler 4.x, contradicting the CVE description which claims all versions including 3.10.x are affected. Scope detection and patching efforts accordingly.
  • ·The CVE description claims all versions including 3.10.x and 4.0.0a5 are affected, but Red Hat's analysis narrows the scope to 4.x only — verify which serializer classes are present in your deployed APScheduler version before assuming exposure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.