CVE-2026-7584
Severity CVSS v4.0:
HIGH
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
01/05/2026
Last modified:
04/05/2026
Description
The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target class or restriction on which modules could be imported. An attacker can craft a serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, resulting in arbitrary code execution in the context of the user running the Python process. Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example a compromised experiment file shared for collaboration or support purposes.
Impact
Base Score 4.0
8.40
Severity 4.0
HIGH
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:zhinst:labone_q:*:*:*:*:*:*:*:* | 2.41.0 (including) | 26.1.2 (excluding) |
| cpe:2.3:a:zhinst:labone_q:26.4.0:beta1:*:*:*:*:*:* | ||
| cpe:2.3:a:zhinst:labone_q:26.4.0:beta2:*:*:*:*:*:* | ||
| cpe:2.3:a:zhinst:labone_q:26.4.0:beta3:*:*:*:*:*:* | ||
| cpe:2.3:a:zhinst:labone_q:26.4.0:beta4:*:*:*:*:*:* | ||
| cpe:2.3:a:zhinst:labone_q:26.4.0:beta5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page