CVE-2026-15535
Received Received - Intake

Deserialization Flaw in AkariAsai Self-RAG

Vulnerability report for CVE-2026-15535, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A vulnerability was determined in AkariAsai self-rag up to 1fcdc420e48f50a7d7ab1ece5494221b93252e99. Affected by this issue is the function Indexer.deserialize_from of the file retrieval_lm/src/index.py of the component retrieval_lm. Executing a manipulation of the argument index_meta.faiss can lead to deserialization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
akariasai self_rag to 1fcdc420e48f50a7d7ab1ece5494221b93252e99 (inc)
akari_asai self_rag to 1fcdc420e48f50a7d7ab1ece5494221b93252e99 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability, identified as CVE-2026-15535, exists in the Self-RAG project within the function Indexer.deserialize_from in the file retrieval_lm/src/index.py. It involves unsafe deserialization of data using Python's pickle module when loading the index_meta.faiss file. An attacker who can manipulate this file can execute arbitrary Python code remotely with the privileges of the running process. This occurs because the pickle data is loaded without validation, allowing malicious payloads to run code during deserialization.

The vulnerability is exploitable if the --save_or_load_index flag is enabled and the attacker controls the cache directory, for example through a malicious download or shared storage. The issue has been publicly disclosed and a fix has been proposed to replace pickle with safer JSON serialization and validation to prevent arbitrary code execution.

Impact Analysis

If exploited, this vulnerability allows an attacker to execute arbitrary code on the system running the Self-RAG application. This can lead to running system commands, stealing credentials, or poisoning downstream retrieval-augmented generation (RAG) outputs.

  • Remote code execution with the privileges of the Self-RAG process.
  • Potential theft of sensitive information such as credentials.
  • Manipulation or poisoning of generated outputs that rely on the retrieval index.
  • Compromise of system integrity and security if the attacker controls the cache directory.
Detection Guidance

This vulnerability involves unsafe deserialization of the index_meta.faiss file using Python's pickle module in the Self-RAG project. Detection involves checking if the vulnerable function Indexer.deserialize_from() is used to load pickle data from untrusted sources, especially if the --save_or_load_index flag is enabled and the attacker can control the cache directory.

To detect potential exploitation or presence of malicious pickle files, you can inspect the cache directory for unexpected or suspicious index_meta.faiss files.

Suggested commands to help detect this vulnerability include:

  • List files in the cache directory where index_meta.faiss might be stored: `ls -l /path/to/cache/`
  • Check for recent modifications or unexpected files: `find /path/to/cache/ -type f -name 'index_meta.faiss' -exec ls -l {} \;`
  • If you have Python access, attempt to safely load the file using a non-pickle method or inspect the file type: `file /path/to/cache/index_meta.faiss`
  • Monitor logs or runtime behavior for unexpected code execution or errors related to deserialization.

Because the vulnerability is related to unsafe pickle deserialization, any detection method should focus on identifying untrusted or manipulated pickle files being loaded.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of unsafe pickle deserialization for loading retriever index metadata.

Specifically, you should:

  • Disable or avoid enabling the --save_or_load_index flag if possible, to prevent loading potentially malicious cache files.
  • Replace the use of Python's pickle module for serializing and deserializing index metadata with safer formats such as JSON, which do not allow arbitrary code execution.
  • Validate the shape and types of loaded metadata to reject malformed or crafted payloads.
  • Reject old or invalid pickle metadata with clear error messages to prevent accidental loading.
  • Ensure that the cache directory is protected and not writable by untrusted users or processes to prevent malicious file replacement.

These steps are reflected in the fix implemented in the referenced pull request, which replaces pickle with JSON and adds validation and error handling.

Compliance Impact

The vulnerability allows arbitrary code execution through unsafe deserialization of retriever index metadata, which can lead to unauthorized system commands execution, credential theft, and poisoning of downstream data. Such security risks can compromise the confidentiality and integrity of sensitive data.

This type of vulnerability may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and processing. Exploitation could lead to data breaches or unauthorized data manipulation, potentially violating these regulations.

Mitigation involves replacing unsafe pickle deserialization with safer formats like JSON and adding validation and integrity checks, reducing the risk of arbitrary code execution and helping maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15535. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart