CVE-2026-31237

Name of the Vulnerable Software and Affected Versions Ludwig framework versions prior to 0.10.5

Description Insecure deserialization occurs through the predict() method. When a dataset file path is provided to this method, the framework automatically determines the file format. If a pickle (.pkl) file is used, it is loaded via the pandas.read pickle() function without validation or security restrictions. This allows the deserialization of arbitrary Python objects using the unsafe pickle module, which can lead to arbitrary code execution on the system running the prediction.

Recommendations Update to version 0.10.5 or later. As a temporary workaround, avoid providing pickle (.pkl) files to the predict() method.