How is CVE-2026-56315 exploited?

Network reachability (required): The attacker must be able to deliver a crafted pickle file to a service running picklescan over the network. Authentication (not-required): No credentials or account are needed to submit a malicious pickle file that triggers the bypass. Victim interaction (not-required): No user action is required; the exploit fires when picklescan processes the crafted file. Attack complexity (info): The exploit is reliable and condition-free: no race conditions, memory layout dependencies, or environmental prerequisites are involved (AC:L, AT:N).

What is the impact of CVE-2026-56315?

The attacker executes arbitrary operating system commands on the host running picklescan, with the privileges of the process. All data accessible to that process, including stored secrets, credentials, and model files, is readable by the attacker. The attacker can write, modify, or delete files and data accessible to the process, including poisoning model artifacts in place. The picklescan process and any dependent services can be crashed or kept unavailable at the attacker's discretion.

Back to search

CRITICALCVE-2026-56315Published 2026-06-23Modified 2026-06-23CNA VulnCheck

CVE-2026-56315: picklescan - Remote Code Execution via Unblocked Standard Library Modules

picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 1.0.4
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass in picklescan's safety validation allows an attacker to achieve remote code execution by crafting a malicious pickle file that imports unblocked Python standard library modules. The vulnerability is reachable over the network with no authentication required, as reflected in the CVSS v4.0 vector (AV:N, PR:N, UI:N). Successful exploitation gives the attacker arbitrary command execution on the host running picklescan, with full impact to confidentiality, integrity, and availability. A patched-image rebuild at version 1.0.4 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle picklescan, across all connected registries and CI pipelines.

Available

Triage

HarborGuard scores this finding at CVSS v4.0 9.3 (Critical) and weights it against each environment's compliance policy to determine routing priority. Triage tickets are routed to the appropriate team inbox inside each customer org based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild pinned to picklescan 1.0.4 becomes available on HarborGuard the moment the fix version is confirmed in upstream package metadata. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to deliver a crafted pickle file to a service running picklescan over the network.
AuthenticationNot required
No credentials or account are needed to submit a malicious pickle file that triggers the bypass.
Victim interactionNot required
No user action is required; the exploit fires when picklescan processes the crafted file.
Attack complexityDetail
The exploit is reliable and condition-free: no race conditions, memory layout dependencies, or environmental prerequisites are involved (AC:L, AT:N).

Blast Radius

The attacker executes arbitrary operating system commands on the host running picklescan, with the privileges of the process.
All data accessible to that process, including stored secrets, credentials, and model files, is readable by the attacker.
The attacker can write, modify, or delete files and data accessible to the process, including poisoning model artifacts in place.
The picklescan process and any dependent services can be crashed or kept unavailable at the attacker's discretion.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-56315 is active across all customer environments, matching any image that includes a picklescan release below 1.0.4. Because this is rated Critical (CVSS v4.0 9.3), it surfaces at the top of each environment's finding queue with compliance-policy weighting applied. A rebuilt image at picklescan 1.0.4 is available for affected environments. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs regression tests, and opens a patch PR against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not permitted by compliance policy, the finding is routed to the appropriate team inbox with remediation guidance to pin picklescan to 1.0.4 or later.

See how HarborGuard automates this

Fix available

1.0.4

Affected packages

picklescan / picklescan
< 1.0.4 (from 0)
Fixed in 1.0.4

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available