Security, Human Behavior and Artificial Intelligence
Welcome to my personal laboratory!
My name is Ivan Marković, and I explore at the intersection of security, human behavior and artificial intelligence.
With
over 20 years of experience designing security solutions and leading
technical teams, I focus on ethical technology, behavioral risk design,
and building safer, more transparent digital systems.
Security Advisory: European Space Agency (ESA) AnomalyMatch unsafe deserialization leading to arbitrary code execution (CVE-2026-38950)
===============================================================================
SECURITY ADVISORY
===============================================================================
CVE ID:
CVE-2026-38950
TITLE:
UNSAFE DESERIALIZATION IN ESA ANOMALYMATCH LEADING TO ARBITRARY CODE EXECUTION
AUTHOR:
Ivan Marković via Accenture
DATE:
26.05.2026
CONTENT:
- Summary
- Affected product
- Vulnerability details
- Impact
- Fix
- Credit
- Disclosure timeline
- References
===============================================================================
SUMMARY
===============================================================================
AnomalyMatch is an ESA-developed AI system that uses neural networks to
identify unusual astronomical objects. It recently helped surface more than
1,300 previously unseen anomalies in NASA's Hubble Legacy Archive and is
positioned to scale to next-generation sky surveys.
Versions prior to 1.3.1 contained an unsafe deserialization flaw in the model
checkpoint loader: a maliciously crafted checkpoint file, loaded through the
normal workflow, executes arbitrary code on the host under the privileges of
the user running AnomalyMatch.
The issue is fixed in version 1.3.1, released 11.05.2026.
===============================================================================
AFFECTED PRODUCT
===============================================================================
Vendor: European Space Agency (ESA)
Product: AnomalyMatch
Affected versions: < 1.3.1
Fixed in: 1.3.1
Repository: https://github.com/esa/AnomalyMatch
===============================================================================
VULNERABILITY DETAILS
===============================================================================
CWE: CWE-502 (Deserialization of Untrusted Data)
CVSS 3.1: 7.8 (High)
Root cause:
AnomalyMatch handled model checkpoints with torch.save() and
torch.load(weights_only=False). With weights_only=False, torch.load delegates
object reconstruction to Python pickle. Pickle deserialization is unsafe by
design: it can instantiate arbitrary objects and invoke arbitrary callables
encoded in the serialized stream, which an attacker can use for arbitrary
code execution.
The vulnerability is triggered whenever a user loads a checkpoint produced
or modified by an attacker. In machine learning workflows, model weights are
frequently shared, downloaded from third party sources, or reused across
teams, which makes a poisoned checkpoint a realistic delivery vector.
===============================================================================
IMPACT
===============================================================================
Successful exploitation results in arbitrary code execution on the host
loading the checkpoint, under the privileges of the user running
AnomalyMatch. Depending on where AnomalyMatch is deployed (researcher
workstation, shared analysis node, compute cluster), this can lead to
data exfiltration, lateral movement, or tampering with downstream
scientific results.
===============================================================================
FIX
===============================================================================
Version 1.3.1 (released 11.05.2026) removes the vulnerability:
- All torch.save and torch.load(weights_only=False) calls are removed.
- Checkpoint serialization is migrated to safetensors.
- No legacy .pth / .pkl loading is retained.
Users should upgrade to AnomalyMatch 1.3.1 or later. Any previously stored
.pth / .pkl checkpoints whose origin cannot be fully trusted should not
be loaded with older versions.
===============================================================================
CREDIT
===============================================================================
Reported by Ivan Marković via Accenture.
===============================================================================
DISCLOSURE TIMELINE
===============================================================================
04.02.2026 Initial report to ESA CERT
25.03.2026 Fix pull request opened (esa/AnomalyMatch PR #9)
27.03.2026 Fix merged to main
11.05.2026 AnomalyMatch v1.3.1 released
19.05.2026 CVE-2026-38950 reserved
26.05.2025 Public disclosure
01.06.2026 CVE-2026-38950 published
===============================================================================
REFERENCES
===============================================================================
- AnomalyMatch v1.3.1 release notes
https://github.com/esa/AnomalyMatch/releases/tag/v1.3.1
- Fix pull request (esa/AnomalyMatch PR #9)
https://github.com/esa/AnomalyMatch/pull/9
- Accenture AARO CVE list entry
https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md
- CWE-502: Deserialization of Untrusted Data
https://cwe.mitre.org/data/definitions/502.html
- NASA Hubble feature: AI Unlocks Hundreds of Cosmic Anomalies
https://science.nasa.gov/missions/hubble/ai-unlocks-hundreds-of-cosmic-
anomalies-in-hubble-archive/
- AnomalyMatch Security Advisory
https://imlabs.info/research/security_advisory_esa_anomaly_match_unsafe_
deserialization_cve_2026_38950_ivan_markovic_052026.txt
===============================================================================
END OF ADVISORY
===============================================================================