CVE-2026-31228
published 2026-05-12CVE-2026-31228: The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. The robustness evaluation…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.61%
44.7th percentile
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. The robustness evaluation function for PyTorch models uses the unsafe eval() function to dynamically evaluate user-supplied strings for the LossFn and Optimizer parameters without any sanitization or security restrictions. An attacker can exploit this by providing a specially crafted string that contains arbitrary Python code, which will be executed when eval() is called, leading to complete compromise of the system running the ART evaluation.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rhoai | odh-kserve-agent-rhel9 | — | — |
| rhoai | odh-kserve-controller-rhel9 | — | — |
| rhoai | odh-kserve-router-rhel9 | — | — |
| rhoai | odh-kserve-storage-initializer-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unsanitized user-supplied strings being passed to eval() within the ART Kubeflow robustness evaluation function for PyTorch models, specifically via the LossFn and Optimizer parameters ↗
- →Flag or alert on arbitrary Python code execution originating from the ART Kubeflow component's eval() call path, which could indicate exploitation of CVE-2026-31228 ↗
- →Audit Red Hat OpenShift AI (RHOAI) packages for affected ART Kubeflow component: rhoai/odh-kserve-agent-rhel9, rhoai/odh-kserve-controller-rhel9, rhoai/odh-kserve-router-rhel9, rhoai/odh-kserve-storage-initializer-rhel9 ↗
- ·All versions of Adversarial Robustness Toolbox (ART) through 1.20.1 are affected; no patch or mitigation meeting Red Hat Product Security criteria is currently available ↗
- ·Red Hat explicitly states no viable mitigation is available for this flaw as deployed in Red Hat OpenShift AI ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
adversarial-robustness-toolbox: kubeflow: Adversarial Robustness Toolbox (ART) Kubeflow: Remote code execution via unsanitized user input
vendor_redhat·2026-05-12·CVSS 9.8
CVE-2026-31228 [CRITICAL] CWE-94 adversarial-robustness-toolbox: kubeflow: Adversarial Robustness Toolbox (ART) Kubeflow: Remote code execution via unsanitized user input
adversarial-robustness-toolbox: kubeflow: Adversarial Robustness Toolbox (ART) Kubeflow: Remote code execution via unsanitized user input
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. The robustness evaluation function for PyTorch models uses the unsafe eval() function to dynamically evaluate user-supplied strings for the LossFn and Optimizer parameters without any sanitization or security restrictions. An attacker can exploit this by providing a specially crafted string that contains arbitrary Python code, which will be executed when eval() is called, leading to complete compromise of the system running the ART evaluation.
A flaw was found in the Adversarial Robustness Toolbox (ART), specifically within its
GHSA
GHSA-8r6g-7rr9-mx32: The Adversarial Robustness Toolbox (ART) thru 1
ghsa_unreviewed·2026-05-12
CVE-2026-31228 [CRITICAL] CWE-94 GHSA-8r6g-7rr9-mx32: The Adversarial Robustness Toolbox (ART) thru 1
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. The robustness evaluation function for PyTorch models uses the unsafe eval() function to dynamically evaluate user-supplied strings for the LossFn and Optimizer parameters without any sanitization or security restrictions. An attacker can exploit this by providing a specially crafted string that contains arbitrary Python code, which will be executed when eval() is called, leading to complete compromise of the system running the ART evaluation.
No detection rules found.
No public exploits indexed.
https://github.com/Trusted-AI/adversarial-robustness-toolboxhttps://www.notion.so/CVE-2026-31228-35d1e1393188817f9ab0dc4b1651dfe9https://access.redhat.com/security/cve/CVE-2026-31228https://bugzilla.redhat.com/show_bug.cgi?id=2476522https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31228.json
2026-05-12
Published