CVE-2026-7584
Received Received - Intake
Arbitrary Code Execution in LabOne Q Serialization Framework

Publication date: 2026-05-01

Last updated on: 2026-05-04

Assigner: Switzerland Government Common Vulnerability Program

Description
The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target class or restriction on which modules could be imported. An attacker can craft a serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, resulting in arbitrary code execution in the context of the user running the Python process. Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example a compromised experiment file shared for collaboration or support purposes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7584
EUVD
EUVD-2026-26483
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
zhinst labone_q From 2.41.0 (inc) to 26.1.2 (exc)
zhinst labone_q 26.4.0
zhinst labone_q 26.4.0
zhinst labone_q 26.4.0
zhinst labone_q 26.4.0
zhinst labone_q 26.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the LabOne Q serialization framework, which uses a class-loading mechanism to dynamically import and instantiate Python classes during deserialization.

Before the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without validating the target class or restricting which modules could be imported.

An attacker can craft a malicious serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, leading to arbitrary code execution with the privileges of the user running the Python process.

Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example, a compromised experiment file shared for collaboration or support.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary code on your system with the same privileges as the user running LabOne Q.

If you load a malicious serialized experiment file, the attacker can run any code they choose, potentially leading to data theft, system compromise, or other malicious activities.

Because the attack requires loading a compromised file, it is important to only open experiment files from trusted sources and validate their provenance.

Detection Guidance

Detection of this vulnerability involves identifying whether malicious serialized experiment files are being loaded by LabOne Q. Since exploitation requires loading a crafted serialized file, monitoring for unexpected or untrusted experiment files being opened is critical.

There are no specific commands provided in the available resources to detect exploitation or presence of this vulnerability on a system or network.

Mitigation Strategies

To mitigate this vulnerability, immediately update LabOne Q to the patched versions 26.1.2 or 26.4.0 released by Zurich Instruments.

Avoid loading serialized experiment files from untrusted or unknown sources, as these files can contain malicious payloads that exploit the deserialization flaw.

Treat all serialized experiment files as potentially executable content and validate their provenance before use.

Compliance Impact

The vulnerability allows arbitrary code execution when a malicious serialized experiment file is loaded, potentially leading to unauthorized access or manipulation of data within the context of the user running LabOne Q.

Such unauthorized code execution and potential data compromise could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data and preventing unauthorized access.

Zurich Instruments recommends treating serialized experiment files as potentially executable content, only loading files from trusted sources, and validating file provenance before use to mitigate risks.

Updating to the patched versions of LabOne Q is critical to address the vulnerability and maintain compliance with security requirements mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7584. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart