CVE-2026-38950: An issue in ESA AnomalyMatch before 1
An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary code execution vulnerability exists in ESA AnomalyMatch before version 1.3.1, triggered by loading crafted machine learning model checkpoint files. The attack is local, requires a low-privilege account, and no interaction from another user. Successful exploitation gives an attacker full control over the host process, including the ability to read, modify, or destroy any data accessible to that process. HarborGuard is tracking the advisory for patch availability and will make a patched rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection capability is available across all HarborGuard environments; this CVE is matched against customer images within minutes of ingestion from upstream advisory feeds, covering both third-party and custom-built container images that include the affected ESA AnomalyMatch package.
AvailableHarborGuard scores this issue at CVSS 7.8 HIGH and is capable of weighting that score against each environment's compliance policy to prioritize alerts appropriately; routing to the correct team inbox within each customer organization is handled automatically based on configured ownership rules.
AvailableNo fix version has been published upstream yet; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer releases a corrected version. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the service is required.
- AuthenticationRequired
Any low-privilege local account is sufficient to carry out the attack.
- Victim interactionNot required
No other user needs to take any action for the exploit to succeed.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required.
Blast Radius
- The attacker executes arbitrary code within the context of the process loading the checkpoint file.
- All data readable by that process is exposed, including model artifacts, session data, and any credentials or secrets available to the running user.
- The attacker can modify or delete files and persisted data accessible to the process.
- The affected process and any dependent services can be crashed or rendered unavailable.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked against all customer images that include ESA AnomalyMatch. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment version 1.3.1 or a subsequent fix is published. In the interim, compensating controls worth evaluating include restricting write access to session directories so that only trusted processes can place checkpoint files there, applying container-level seccomp or AppArmor profiles to limit the syscall surface available during model loading, and using network-policy isolation to reduce the blast radius if the container is also internet-facing. For customers with auto-remediation enabled, once the fix ships the full rebuild, regression-test, and PR flow will trigger automatically without manual intervention.
- n/a / n/an/a
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H