CVE-2026-54499 is a high-severity insecure deserialization vulnerability in stanza (pip), affecting versions <= 1.12.1. It is fixed in 1.12.2.
Summary Stanza 1.12.0 attempts to safely load PyTorch checkpoint files using torch.load(..., weightsonly=True), but automatically falls back to the fully unsafe torch.load(..., weightsonly=False) when the safe load raises pickle.UnpicklingError. Because the UnpicklingError condition is fully attacker-controllable, any .pt file that contains a single unsupported pickle global will trigger it. An attacker who can place a malicious pretrain or model file on disk (via supply-chain compromise, a poisoned model repository, or a shared model cache) can achieve arbitrary code execution on any machine that loads a Stanza NLP pipeline. Code execution occurs inside the Stanza pretrain-loading API, not merely by calling torch.load directly. Details The vulnerable code is in pretrain.py#L59-L67 (Stanza 1.12.0): When weightsonly=True is passed, PyTorch's deserializer raises pickle.UnpicklingError for any object whose class or callable is not on the safe-globals allowlist. This is the intended safety mechanism. However, Stanza catches that exception and immediately reloads the same attacker-controlled file with weightsonly=False, which invokes Python's full pickle deserializer and executes any reduce method in the file without restriction. The fallback is triggered reliably and intentionally: an attacker embeds one unsupported pickle global (e.g., builtins.open) anywhere in an otherwise structurally valid Stanza pretrain state dict. The safe load rejects it; the unsafe reload runs it. The same try/except pattern exists in at least five additional loaders in Stanza 1.12.0: | File | Lines | |------|-------| | stanza/models/common/pretrain.py | 64–66 | | stanza/models/coref/model.py | 251–253, 329–331 | | stanza/models/classifiers/trainer.py | 80–82 | | stanza/models/constituency/basetrainer.py | 94–96 | Additionally, stanza/models/lemmaclassifier/basemodel.py:127 calls torch.load(filename, lambda storage, loc: storage) with no weightsonly argument at all, which defaults to False on any PyTorch < 2.6. The call chain from the public API to the vulnerable fallback is: PoC Environment: Python 3.11, stanza==1.12.0, torch==2.12.0 Step 1: Install dependencies: Step 2: Save the following as exploit.py: Step 3 : Run: Expected output (confirmed): The sentinel is created exclusively by the Stanza pretrain-loading API invoking the unsafe fallback : not by a direct torch.load call in the PoC. Impact Vulnerability class: CWE-502 : Deserialization of Untrusted Data Who is impacted: Any user, researcher, CI/CD pipeline, or production NLP service that loads a Stanza model pretrain file from a source that is not under the victim's exclusive cryptographic control. Concretely: Developers who run stanza.Pipeline(lang) after downloading models from HuggingFace or GitHub CI pipelines that automatically refresh Stanza models during builds Research environments that share pretrain files over shared network storage or model repositories Attack prerequisites: The attacker must be able to place a malicious .pt pretrain file at a path that Stanza will load. Realistic delivery vectors include: Compromise of a HuggingFace model repository hosting Stanza pretrain weights Poisoning of a shared model cache directory (NFS, S3, artifact store) A malicious pretrain file distributed via a third-party fine-tuning hub or research repo What an attacker achieves: Arbitrary code execution with the full privileges of the process running stanza.Pipeline(), typically a developer workstation, a Jupyter notebook server, or a GPU training node. This allows credential theft (HuggingFace tokens, cloud IAM keys from environment variables), persistent backdoors, data exfiltration, and lateral movement in multi-tenant training infrastructure. Recommended fix: Remove the unsafe fallback entirely. If weightsonly=True raises UnpicklingError, fail closed: If legacy NumPy-containing pretrain files must be supported, use PyTorch's addsafe_globals() API to allowlist the specific NumPy dtypes required, rather than disabling all safety checks. Apply the same fix to all six affected loaders listed above.
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
CVE-2026-54499 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.12.2). Upgrading removes the vulnerable code path.
pip
stanza (<= 1.12.1)stanza → 1.12.2 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-54499 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-54499 is reachable in your applications. Get a demo
Upgrade stanza to 1.12.2 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-54499 is a high-severity insecure deserialization vulnerability in stanza (pip), affecting versions <= 1.12.1. It is fixed in 1.12.2. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
CVE-2026-54499 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
stanza (pip) versions <= 1.12.1 is affected.
Yes. CVE-2026-54499 is fixed in 1.12.2. Upgrade to this version or later.
Whether CVE-2026-54499 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade stanza to 1.12.2 or later.