CVE-2026-31230
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (rob
CVSS
9.8
Crítico
EPSS
0.6%
p43
KEV
—
Exploit Today
13
0-100
Publicado: 12 may 2026 · Última mod.: 15 jul 2026 · CWE-88 · CWE-94
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (robustness_evaluation_fgsm_pytorch.py). The script uses the unsafe eval() function to parse string values provided via the --clip_values and --input_shape command-line arguments. This allows an attacker to inject arbitrary Python code into these arguments, which will be executed when eval() is called. The vulnerability can be exploited remotely if an attacker can control these arguments (e.g., through pipeline configuration or automated scripts), leading to arbitrary code execution on the system running the ART evaluation.
- github.comhttps://github.com/Trusted-AI/adversarial-robustness-toolbox
- www.notion.sohttps://www.notion.so/CVE-2026-31230-35d1e13931888126b624d12769c0e040
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-31230
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2476634
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31230.json