CVE-2026-38950
Code Execution in ESA AnomalyMatch via Malicious Model Files
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| esa | anomalymatch | to 1.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-38950 is an unsafe deserialization vulnerability in the European Space Agency's (ESA) AnomalyMatch AI system, present in versions before 1.3.1.
The vulnerability arises because the software loads model checkpoint files using torch.load() with unrestricted deserialization, allowing maliciously crafted checkpoint files to execute arbitrary code.
This happens due to the use of pickle-based serialization, which can execute arbitrary objects and callables embedded in the checkpoint file.
The issue was fixed in version 1.3.1 by replacing pickle-based serialization with the safer safetensors format and removing legacy loading methods.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ESA AnomalyMatch allows arbitrary code execution via unsafe deserialization of model checkpoint files. Successful exploitation could lead to data theft, lateral movement, or manipulation of scientific results depending on the deployment environment.
Such risks could impact compliance with data protection regulations like GDPR or HIPAA if sensitive or personal data is exposed or manipulated due to this vulnerability.
However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability can lead to arbitrary code execution on the system running ESA AnomalyMatch.
This can result in data theft, lateral movement within the network, or manipulation of scientific results depending on the deployment environment.
The risk is especially significant when loading checkpoint files from untrusted sources, which is common in machine learning workflows.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system is running ESA AnomalyMatch versions prior to 1.3.1 that load model checkpoint files using unsafe deserialization methods (torch.load with weights_only=False).
You can check the installed version of AnomalyMatch to determine if it is vulnerable.
- Run a command to check the version of ESA AnomalyMatch, for example: `anomalymatch --version` or check the version in your environment or package manager.
- Search for usage of torch.load in your codebase or environment to see if it is called with unsafe parameters, e.g., `grep -r "torch.load" /path/to/anomalymatch`.
- Monitor for suspicious loading of model checkpoint files from untrusted sources, as this is the attack vector.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ESA AnomalyMatch to version 1.3.1 or later, where the vulnerability has been fixed by replacing unsafe pickle-based deserialization with the safer safetensors format.
Avoid loading model checkpoint files from untrusted or unknown sources to prevent exploitation.
If upgrading immediately is not possible, review and modify your code to avoid using torch.load with weights_only=False on untrusted files.