HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53873Published Modified CNA VulnCheck

CVE-2026-53873: picklescan - Arbitrary Code Execution via profile.run() Blocklist Bypass

picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
1.0.4
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an arbitrary code execution vulnerability in picklescan, a Python library used to detect malicious pickle files. The flaw is reachable over the network with no authentication required, because any system that accepts and scans pickle files from untrusted sources is exposed. An attacker crafts a malicious pickle file that calls profile.run() to execute arbitrary Python code, while picklescan reports zero security issues, giving no indication that the payload ran. A patched-image rebuild at version 1.0.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-53873 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle picklescan as a dependency. Any image carrying a picklescan version below 1.0.4 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.3 Critical (CVSS v4.0) and surfaces it with that severity weighting applied against each environment's compliance policy. Triage tickets are routed to the team inbox configured inside each customer org based on the image owner and policy rules in place.

Available
Patch

A patched-image rebuild at picklescan 1.0.4 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to deliver a crafted pickle file to a service that invokes picklescan over the network; any internet-exposed or internally networked file-intake endpoint that calls picklescan is in scope.

  • AuthenticationNot required

    No credentials or account are needed; the attacker only needs to submit a file to a picklescan-scanning endpoint, which typically accepts unauthenticated input.

  • Victim interactionNot required

    No user action is required; exploitation occurs automatically when picklescan processes the malicious pickle file.

  • Attack complexityDetail

    The exploit is reliable and condition-free; crafting a pickle payload that calls profile.run() requires no race conditions, memory layout knowledge, or special environmental prerequisites.

Blast Radius

  • The attacker executes arbitrary Python code in the process running picklescan, gaining full control of that process and its runtime environment.
  • Any secrets, credentials, or tokens accessible to the scanning process (such as environment variables or mounted files) are readable by the attacker.
  • The attacker can modify or delete files and data accessible to the scanning process, including scan results and downstream pipeline artifacts.
  • The scanning service itself can be crashed or repurposed, disabling the security gate that picklescan is meant to provide.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53873 is active across all connected registries and pipelines, matching images that bundle picklescan below version 1.0.4. For customers who opt into auto-remediation, HarborGuard generates a rebuilt image at picklescan 1.0.4, runs a regression test pass, and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding in the triage queue with CVSS context and fix-version detail so teams can act manually. As a compensating control while remediation is in progress, consider restricting which services can submit files to picklescan-backed endpoints using network policy, and gate file intake on an allowlist of trusted sources.

See how HarborGuard automates this

Fix available

1.0.4
Affected packages
  • picklescan / picklescan
    < 1.0.4 (from 0)
    Fixed in 1.0.4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References