CVE-2026-31230 — CLI eval injection on -clip_values / -input_shape in ART Kubeflow evaluation script

MITRE service request: 1988584

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (robustness_evaluation_fgsm_pytorch.py). The script uses the unsafe eval() function to parse string values provided via the –clip_values and –input_shape command-line arguments. This allows an attacker to inject arbitrary Python code into these arguments, which will be executed when eval() is called. The vulnerability can be exploited remotely if an attacker can control these arguments (e.g., through pipeline configuration or automated scripts), leading to arbitrary code execution on the system running the ART evaluation.

Summary

argparse stores user strings for --clip_values / --input_shape, later passed to eval() verbatim. Attackers who can alter pipeline specs or CI parameters can slip lambda-based payloads that execute side effects while still returning tuples that satisfy downstream shape logic.

Affected product and versions

• Product: Trusted-AI/adversarial-robustness-toolbox.
• Affected range (coordination record): through ART 1.20.1.

Technical details

• Surface: Kubeflow / automation passing attacker-controlled CLI strings.
• Sink: clip_values = eval(args.clip_values) (and analogous input_shape).
• Impact: RCE at import/evaluation time.
• Example pattern (conceptual): payload returning tuple after executing malicious lambda.

Risk

High for automated pipelines without parameter review.

Remediation / workaround

• Replace eval with ast.literal_eval or strict parsers.
• Lock pipeline IAM.