CVE-2026-31228 — Remote code execution via unsafe eval of LossFn / Optimizer strings in ART Kubeflow evaluation

MITRE service request: 1987825

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. The robustness evaluation function for PyTorch models uses the unsafe eval() function to dynamically evaluate user-supplied strings for the LossFn and Optimizer parameters without any sanitization or security restrictions. An attacker can exploit this by providing a specially crafted string that contains arbitrary Python code, which will be executed when eval() is called, leading to complete compromise of the system running the ART evaluation.

Summary

The Kubeflow-oriented robustness evaluation path treats remote-controllable LossFn / Optimizer fields as Python source and evaluates them with eval. Anyone who can influence pipeline parameters (object storage, CI variables, or compromised model_id inputs) can inject arbitrary expressions executed during evaluation.

Affected product and versions

• Product: Trusted-AI/adversarial-robustness-toolbox.
• Affected range (coordination record): through ART 1.20.1 (commit 809fcc6c58242b5d76d0127a030817679c5cc781 in original submission).

Technical details

• Surface: Kubeflow pipeline parameters or CLI-equivalent configuration feeding LossFn / Optimizer strings into evaluation helpers.
• Sink: eval() on those strings inside robustness_evaluation_fgsm_pytorch style components.
• Impact: RCE on the worker pod or developer laptop running the pipeline.
• Threat: Supply-chain compromise of stored configs or MITM on insecure registries.

Risk

Critical for automated ML pipelines that reuse shared parameter blobs.

Remediation / workaround

• Remove eval; parse loss/optimizer via registry map.
• Lock down pipeline IAM so only trusted principals can submit jobs.