CVE-2026-31238: The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. Whe
criticalvulnerability
security
Summary
The Ludwig framework (a machine learning tool) versions up to 0.10.4 has a vulnerability where it unsafely loads model files using a method that can execute arbitrary code. When someone runs the ludwig serve command to host a model, an attacker can provide a malicious model file that tricks the system into running their code, potentially taking over the server.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
May 12, 2026
Classification
Attack Type
Model Theft
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-31238
First tracked: May 12, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 95%