What happened
CVE-2026-56304 (CVSS 6.5) was published 2026-06-20 against picklescan, the widely-used open-source tool for detecting malicious pickle opcodes in Python model files (PyTorch .pkl, .pt, etc.). A flaw in the logging.FileHandler code path allows a maliciously crafted model file to cause picklescan to create arbitrary files on the scanning host when it processes the file.
Why it matters
picklescan is the primary defence against pickle-based model poisoning attacks in ML pipelines (used by Hugging Face Hub, many CI/CD integrations, and model repositories). A vulnerability in the scanner itself is particularly damaging because it can be triggered by the very attack artefacts it is meant to detect, and because scanning pipelines often run with elevated permissions. A successful exploit turns the security tool into an attack vector.
Attack vector
A crafted model file, when scanned by picklescan, triggers the logging.FileHandler path in a way that allows the attacker-controlled filename to be used for file creation on the scanning host, potentially writing arbitrary content to arbitrary paths on the machine running the scan
Affected systems
picklescan (all versions up to and including the affected release, published 2026-06-20)
Mitigation
Monitor the picklescan GitHub repository for a patched release. Review picklescan usage in CI/CD pipelines and avoid scanning untrusted model files with elevated privileges. Advisory: https://cve.circl.lu/vuln/cve-2026-56304