HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-53872Published Modified CNA VulnCheck

CVE-2026-53872: picklescan - Arbitrary File Read via Unsafe Pickle Deserialization

picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
0.0.35
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary file read vulnerability exists in picklescan before version 0.0.35, caused by unsafe pickle deserialization. The vulnerability is reachable over the network and requires no authentication, allowing an unauthenticated remote attacker to chain io.FileIO and urllib.request.urlopen inside a crafted pickle payload to bypass RCE-focused blocklists and exfiltrate arbitrary files from the server. Successful exploitation gives the attacker read access to any file the process can reach, including sensitive system and application files. A patched-image rebuild at version 0.0.35 is available on HarborGuard for environments running an affected version of picklescan.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle picklescan as a dependency. Any image containing a picklescan version below 0.0.35 is flagged automatically during both scheduled scans and pipeline-gate checks.

Available
Triage

HarborGuard scores this finding at CVSS 8.7 HIGH using the v4.0 vector from the upstream record, and per-environment compliance policy weighting is applied to adjust urgency based on each customer's risk posture. Findings are routed to the appropriate team inbox within each customer organization according to configured ownership rules.

Available
Patch

A patched-image rebuild at picklescan 0.0.35 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the service over the network to deliver a crafted pickle payload, as the CVSS vector specifies AV:N.

  • AuthenticationNot required

    No credentials or session token are needed; the CVSS vector specifies PR:N, meaning any unauthenticated party who can reach the service can attempt exploitation.

  • Victim interactionNot required

    No user action is required to trigger the vulnerability; the CVSS vector specifies UI:N, so exploitation is fully attacker-driven.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the CVSS vector specifies AC:L and AT:N, meaning no race conditions or special environmental factors must align for the attack to succeed.

Blast Radius

  • The attacker reads arbitrary files from the server filesystem, including credential files such as /etc/passwd, application configuration files, and private keys accessible to the process.
  • Crafted pickle payloads exfiltrate file contents to an attacker-controlled external server via urllib.request.urlopen, so stolen data leaves the environment silently over outbound HTTP or HTTPS.
  • Confidentiality of any file readable by the process running picklescan is fully compromised; the CVSS vector specifies VC:H with no integrity or availability impact.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53872 is active across all scanning environments, matching any image that includes picklescan below 0.0.35. A patched rebuild at version 0.0.35 is available immediately for affected images. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fixed version, executes a regression run, and opens a PR against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with remediation guidance so teams can act manually. As an interim compensating control, customers can apply egress network policies to block unexpected outbound connections from containers running picklescan, which limits the attacker's ability to exfiltrate file contents to an external server even if a malicious payload is processed.

See how HarborGuard automates this

Fix available

0.0.35
Affected packages
  • picklescan / picklescan
    < 0.0.35 (from 0)
    Fixed in 0.0.35
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References