CVE-2026-31072
APScheduler Insecure Deserialization RCE Vulnerability
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apscheduler | jsonserializer | * |
| apscheduler | cborserializer | From 3.10.0 (inc) to 4.0.0a5 (inc) |
| agronholm | apscheduler | From 3.10.0 (inc) to 4.0.0a5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the JSONSerializer and CBORSerializer components of APScheduler (all versions including 3.10.x and 4.0.0a5). It is a Remote Code Execution (RCE) vulnerability caused by insecure deserialization.
Specifically, the unmarshal_object function allows an attacker to instantiate arbitrary classes and inject state by dynamically importing modules and invoking the __setstate__ method on any class available in the Python environment.
An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application that uses these serializers, potentially leading to execution of arbitrary code.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code remotely on the affected system.
Such remote code execution can lead to full system compromise, unauthorized access to sensitive data, disruption of services, or further exploitation within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves insecure deserialization in APScheduler's JSONSerializer and CBORSerializer, allowing remote code execution via specially crafted payloads. Detection would involve monitoring for suspicious JSON or CBOR payloads that attempt to instantiate arbitrary classes or inject state.
Specific commands or detection signatures are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of APScheduler versions that include the vulnerable JSONSerializer and CBORSerializer (all versions including 3.10.x and 4.0.0a5).
If upgrading is not immediately possible, restrict or sanitize any input that is deserialized by these serializers to prevent malicious payloads.
Monitor the APScheduler GitHub repository or official channels for patches or updates addressing this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in APScheduler's JSONSerializer and CBORSerializer allows remote code execution through insecure deserialization, which can lead to unauthorized access or control over the affected system.
Such a security flaw can impact compliance with standards and regulations like GDPR and HIPAA, as these require protection of personal and sensitive data against unauthorized access and breaches.
Exploitation of this vulnerability could result in data breaches or unauthorized data manipulation, potentially violating data protection requirements and leading to non-compliance with these regulations.