CVE-2026-38950: ESA AnomalyMatch Arbitrary Code Execution via Unsafe PyTorch Deserialization
ESA AnomalyMatch versions before 1.3.1 contain a critical flaw that allows attackers with local system access to run malicious code by uploading specially crafted model checkpoint files. The vulnerability stems from the application's use of unsafe deserialization when loading PyTorch model files, which can execute arbitrary Python code during the loading process. An attacker who can place a malicious model file in the session directories—or trick a user into loading one—gains the ability to execute commands with the privileges of the AnomalyMatch process.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-502
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-38950 is a code injection vulnerability in ESA AnomalyMatch that exploits insecure deserialization practices. The application uses PyTorch's torch.load() function without restrictions, which inherently deserializes Python pickle data embedded in model checkpoint files. Since pickle can encode and execute arbitrary Python code during deserialization, an attacker can craft a malicious .pth or checkpoint file containing embedded code that executes upon loading. The vulnerability affects model files stored in session directories, making it a local attack vector that requires prior access to the system or a mechanism to stage files where the application will load them.
Business impact
Organizations relying on ESA AnomalyMatch for anomaly detection face direct code execution risk if attackers gain local file system access or if the application accepts user-supplied model files. Compromise could lead to data exfiltration, lateral movement within the network, poisoning of detection results (undermining the tool's core function), or deployment of persistent backdoors. The impact is particularly severe in environments where AnomalyMatch runs with elevated privileges or has access to sensitive data streams.
Affected systems
ESA AnomalyMatch versions prior to 1.3.1 are vulnerable. Organizations should verify their installed versions and prioritize upgrades. The vulnerability requires local system access to exploit, limiting the attack surface to authenticated users or attackers who have already compromised the host system where AnomalyMatch runs.
Exploitability
Exploitation requires local access (CVSS vector specifies AV:L), meaning an attacker must already be on the system or able to write files to directories the application accesses. The barrier to exploitation is low once access is gained—crafting a malicious PyTorch checkpoint is straightforward for attackers with Python knowledge. However, the attack does not require user interaction beyond normal application operation (UI:N), and no complex configuration is needed (AC:L). The primary constraint is the prerequisite of local presence or file write capability.
Remediation
Upgrade ESA AnomalyMatch to version 1.3.1 or later immediately. Verify the upgrade path with the vendor's advisory to confirm compatibility and any additional steps. After patching, restart all instances of the application. As a compensating control, restrict file system permissions on session directories and model repositories to prevent unauthorized file writes, and audit access logs for suspicious model file uploads or loads.
Patch guidance
Apply the vendor's security update to upgrade ESA AnomalyMatch to version 1.3.1 or later. Consult ESA's official advisory for supported upgrade paths, potential breaking changes, and any required configuration adjustments. Test the patch in a staging environment first to ensure compatibility with your deployment. Plan for service restarts during the maintenance window. Verify the patched version using package managers or vendor-supplied checksums.
Detection guidance
Monitor for creation or modification of model checkpoint files (.pth, .pkl, or similar) in AnomalyMatch session directories, particularly from unexpected sources or users. Alert on unsuccessful torch.load() errors or exceptions that may indicate malformed or suspicious model files. Review audit logs for changes to model repositories and track who initiated model loads. Endpoint detection and response (EDR) tools should flag suspicious child processes spawned by the AnomalyMatch application process, which may indicate exploitation. Network monitoring can detect data exfiltration if the injected code attempts outbound communication.
Why prioritize this
This vulnerability merits rapid patching despite its local-access requirement. Code execution is the most severe outcome, and the deserialization flaw is trivial to exploit given access. Organizations should treat this as high-priority if they run AnomalyMatch on multi-user systems, shared infrastructure, or where other vulnerabilities could provide an attacker with initial local access. The lack of KEV status does not diminish the urgency; patch promptly within your normal high-severity cycle.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects complete compromise of confidentiality, integrity, and availability once the attacker executes code. The local-access vector (AV:L) prevents remote exploitation, lowering the score below critical. However, low attack complexity (AC:L) and no privileges required beyond local presence (PR:L) mean exploitation is straightforward. The true risk depends on your environment's access controls and whether AnomalyMatch is exposed to multi-tenant or untrusted-user scenarios.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The CVSS vector specifies AV:L (local access), meaning the attacker must already have presence on the host system or be able to write files to directories the application accesses. Remote exploitation would require a separate vulnerability that grants initial system access.
What is the difference between this and a general 'arbitrary code execution' flaw?
This flaw is specifically rooted in unsafe deserialization of PyTorch model files. It is not a memory corruption or injection flaw affecting the AnomalyMatch application itself, but rather a design flaw in how the application loads untrusted serialized Python objects. The distinction matters for detection and mitigation—focus on controlling model file sources and validating file integrity.
If I upgrade to 1.3.1, is my system immediately safe?
Upgrading closes the deserialization vulnerability, but you should also audit your model file repositories to ensure no malicious checkpoints were already staged or loaded. Review logs for suspicious activity between the vulnerability's disclosure date and your patching date, and consider rotating credentials or secrets that may have been accessed.
Are there workarounds if I cannot patch immediately?
Yes. Restrict write permissions on session and model directories to prevent unauthorized file uploads. Disable any user-facing model upload or import features if they are not essential. Run AnomalyMatch with the lowest possible privileges and monitor child process creation. These controls reduce risk but do not eliminate it; treat them as temporary measures while you plan your patch deployment.
This analysis is provided for informational purposes and based on the vulnerability data available as of the publication date. SEC.co does not conduct independent verification of exploit feasibility or vendor patch effectiveness. Organizations should validate patch applicability and compatibility within their environments before deployment. CVSS scores reflect generic severity; your organization's risk may differ based on exposure, access controls, and operational context. Consult ESA's official advisory and your vendor support channels for definitive guidance on patch versions, rollback procedures, and compatibility matrices. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11993HIGHWooCommerce Infinite Scroll Plugin PHP Object Injection – HIGH Severity
- CVE-2026-24221HIGHNVIDIA NVTabular Deserialization Vulnerability – Patch & Detection Guide
- CVE-2026-24237HIGHNVIDIA NVTabular Deserialization Remote Code Execution Vulnerability
- CVE-2026-25551HIGHBarTender 2021–12.0.1 Insecure Deserialization Privilege Escalation
- CVE-2026-37579HIGHSMSGate Remote Code Execution via CMPP7 Deserialization
- CVE-2026-39550HIGHAperitif Theme Remote Code Execution via Object Injection
- CVE-2026-39551HIGHTöbel Deserialization Remote Code Execution Vulnerability
- CVE-2026-39555HIGHAskka Plugin Object Injection Deserialization Vulnerability (CVSS 8.1)