CVE-2026-31224: The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier
criticalvulnerability
security
Summary
The snorkel library (a tool for machine learning data labeling) versions up to 0.10.0 has a security flaw in its MultitaskClassifier.load() method that allows arbitrary code execution (running any commands an attacker wants on your computer). The problem occurs because the method uses torch.load() without the weights_only=True security setting, which means it can deserialize (reconstruct) malicious Python objects from model files that an attacker provides.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
May 12, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
HuggingFace
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-31224
First tracked: May 12, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 95%