How is CVE-2026-3490 exploited?

Network reachability (required): The attacker must reach the service over the network and deliver a crafted pickle payload to any endpoint that processes pickle files using picklescan. Authentication (not-required): No credentials or account are needed; any unauthenticated party who can submit or upload a pickle file can trigger the bypass. Victim interaction (not-required): No user action is required; the vulnerable code path executes automatically when the application processes the malicious pickle file. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or environmental factors need to be satisfied.

What is the impact of CVE-2026-3490?

The attacker executes arbitrary system commands on the host running picklescan, gaining full code execution at the process privilege level. Confidential data accessible to the process, including environment variables, secrets, and filesystem contents, is directly readable by the attacker. The attacker can write, overwrite, or delete files and modify application state on the host. In containerized environments, a successful exploit can be used as a stepping stone to read mounted secrets or reach adjacent services within the same pod or network namespace.

Back to search

CRITICALCVE-2026-3490Published 2026-06-17Modified 2026-06-17CNA VulnCheck

CVE-2026-3490: picklescan - Universal Blocklist Bypass via pkgutil.resolve_name

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: 1.0.4
Affected Products: 1

HarborGuard Analysis

Synopsis

A universal blocklist bypass vulnerability exists in picklescan before version 1.0.4. The library, which scans Python pickle files for dangerous opcodes, fails to block pkgutil.resolve_name, allowing any attacker who can supply a malicious pickle file to resolve and invoke blocked functions such as os.system, builtins.exec, or subprocess.call through indirect REDUCE calls. This bypass requires no authentication and is reachable over the network, leading directly to remote code execution on any host that processes the malicious file. A patched-image rebuild at version 1.0.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle picklescan as a dependency.

Available

Triage

HarborGuard scores this finding at CVSS 10.0 (Critical) and weights it against each environment's compliance policy, then routes the finding to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at picklescan 1.0.4 becomes available in HarborGuard as soon as the fix version is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the service over the network and deliver a crafted pickle payload to any endpoint that processes pickle files using picklescan.
AuthenticationNot required
No credentials or account are needed; any unauthenticated party who can submit or upload a pickle file can trigger the bypass.
Victim interactionNot required
No user action is required; the vulnerable code path executes automatically when the application processes the malicious pickle file.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or environmental factors need to be satisfied.

Blast Radius

The attacker executes arbitrary system commands on the host running picklescan, gaining full code execution at the process privilege level.
Confidential data accessible to the process, including environment variables, secrets, and filesystem contents, is directly readable by the attacker.
The attacker can write, overwrite, or delete files and modify application state on the host.
In containerized environments, a successful exploit can be used as a stepping stone to read mounted secrets or reach adjacent services within the same pod or network namespace.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-3490 is active across all connected registries and build pipelines, matching any image layer that contains a picklescan release earlier than 1.0.4. For customers who opt into auto-remediation, HarborGuard triggers a patched-image rebuild at version 1.0.4, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy restricts automated changes, the finding is surfaced as a critical-priority item in the team inbox with the fix version and affected image digest included. Until a rebuild is deployed, compensating controls include restricting which services are permitted to call picklescan on untrusted input, applying network-policy rules to limit which sources can deliver pickle payloads to those services, and auditing any pipeline step that ingests third-party model or data files in pickle format.

See how HarborGuard automates this

Fix available

1.0.4

Affected packages

picklescan / picklescan
< 1.0.4 (from 0)
Fixed in 1.0.4

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available