CVE-2026-7584
Arbitrary Code Execution in LabOne Q Serialization Framework
Publication date: 2026-05-01
Last updated on: 2026-05-04
Assigner: Switzerland Government Common Vulnerability Program
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zhinst | labone_q | From 2.41.0 (inc) to 26.1.2 (exc) |
| zhinst | labone_q | 26.4.0 |
| zhinst | labone_q | 26.4.0 |
| zhinst | labone_q | 26.4.0 |
| zhinst | labone_q | 26.4.0 |
| zhinst | labone_q | 26.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the LabOne Q serialization framework, which uses a class-loading mechanism to dynamically import and instantiate Python classes during deserialization.
Before the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without validating the target class or restricting which modules could be imported.
An attacker can craft a malicious serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, leading to arbitrary code execution with the privileges of the user running the Python process.
Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example, a compromised experiment file shared for collaboration or support.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code on your system with the same privileges as the user running LabOne Q.
If you load a malicious serialized experiment file, the attacker can run any code they choose, potentially leading to data theft, system compromise, or other malicious activities.
Because the attack requires loading a compromised file, it is important to only open experiment files from trusted sources and validate their provenance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying whether malicious serialized experiment files are being loaded by LabOne Q. Since exploitation requires loading a crafted serialized file, monitoring for unexpected or untrusted experiment files being opened is critical.
There are no specific commands provided in the available resources to detect exploitation or presence of this vulnerability on a system or network.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update LabOne Q to the patched versions 26.1.2 or 26.4.0 released by Zurich Instruments.
Avoid loading serialized experiment files from untrusted or unknown sources, as these files can contain malicious payloads that exploit the deserialization flaw.
Treat all serialized experiment files as potentially executable content and validate their provenance before use.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary code execution when a malicious serialized experiment file is loaded, potentially leading to unauthorized access or manipulation of data within the context of the user running LabOne Q.
Such unauthorized code execution and potential data compromise could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data and preventing unauthorized access.
Zurich Instruments recommends treating serialized experiment files as potentially executable content, only loading files from trusted sources, and validating file provenance before use to mitigate risks.
Updating to the patched versions of LabOne Q is critical to address the vulnerability and maintain compliance with security requirements mandated by these standards.