CVE-2026-31237 — Unsafe pandas.read_pickle on user datasets in Ludwig predict()

MITRE service request: 1988584

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework automatically determines the file format. If the file is a pickle (.pkl) file, it is loaded using pandas.read_pickle() without any validation or security restrictions. This allows the deserialization of arbitrary Python objects via the unsafe pickle module. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the system running the Ludwig prediction.

Summary

predict() auto-detects .pkl datasets and calls pandas.read_pickle, which wraps unsafe pickle. Supplying a malicious pickle path (via API wrappers) yields RCE in the prediction service.

Affected product and versions

• Product: ludwig-ai/ludwig.
• Affected range (coordination record): through v0.10.4 (commit 00c51e0a286c3fa399a07a550e48d0f3deadc57d).

Technical details

• Surface: User-controlled dataset path passed into predict().
• Sink: pandas.read_pickle without sandbox.
• Impact: RCE when prediction workers open attacker paths.
• Mitigation: Block .pkl inputs in online services; convert datasets to Parquet.

Risk

High for hosted Ludwig inference with arbitrary dataset uploads.

Remediation / workaround

• Vendor patch TBD; enforce allow-listed formats.

CVE Program next steps