CVE-2026-31072
Deferred Deferred - Pending Action
APScheduler Insecure Deserialization RCE Vulnerability

Publication date: 2026-05-19

Last updated on: 2026-05-20

Assigner: MITRE

Description
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-31072
EUVD
EUVD-2026-30947
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apscheduler jsonserializer *
apscheduler cborserializer From 3.10.0 (inc) to 4.0.0a5 (inc)
agronholm apscheduler From 3.10.0 (inc) to 4.0.0a5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the JSONSerializer and CBORSerializer components of APScheduler (all versions including 3.10.x and 4.0.0a5). It is a Remote Code Execution (RCE) vulnerability caused by insecure deserialization.

Specifically, the unmarshal_object function allows an attacker to instantiate arbitrary classes and inject state by dynamically importing modules and invoking the __setstate__ method on any class available in the Python environment.

An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application that uses these serializers, potentially leading to execution of arbitrary code.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary code remotely on the affected system.

Such remote code execution can lead to full system compromise, unauthorized access to sensitive data, disruption of services, or further exploitation within the network.

Detection Guidance

This vulnerability involves insecure deserialization in APScheduler's JSONSerializer and CBORSerializer, allowing remote code execution via specially crafted payloads. Detection would involve monitoring for suspicious JSON or CBOR payloads that attempt to instantiate arbitrary classes or inject state.

Specific commands or detection signatures are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of APScheduler versions that include the vulnerable JSONSerializer and CBORSerializer (all versions including 3.10.x and 4.0.0a5).

If upgrading is not immediately possible, restrict or sanitize any input that is deserialized by these serializers to prevent malicious payloads.

Monitor the APScheduler GitHub repository or official channels for patches or updates addressing this vulnerability.

Compliance Impact

The vulnerability in APScheduler's JSONSerializer and CBORSerializer allows remote code execution through insecure deserialization, which can lead to unauthorized access or control over the affected system.

Such a security flaw can impact compliance with standards and regulations like GDPR and HIPAA, as these require protection of personal and sensitive data against unauthorized access and breaches.

Exploitation of this vulnerability could result in data breaches or unauthorized data manipulation, potentially violating data protection requirements and leading to non-compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31072. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart