PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31072 APScheduler CVE debrief

CVE-2026-31072 is a critical insecure deserialization issue in APScheduler's JSONSerializer and CBORSerializer. According to the supplied CVE description, the unmarshal_object flow can dynamically import modules and invoke __setstate__ on arbitrary classes available in the Python environment, creating a path to remote code execution when a crafted JSON or CBOR payload is processed. The CVE was published on 2026-05-19 and last modified on 2026-05-20.

Vendor
APScheduler
Product
APScheduler
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-20
Advisory published
2026-05-19
Advisory updated
2026-05-20

Who should care

Operators and developers using APScheduler in Python applications, especially anywhere JSONSerializer or CBORSerializer is exposed to untrusted input or indirectly reachable through application workflows. Security teams should treat this as a critical remote code execution issue with no user interaction required.

Technical summary

The supplied CVE metadata describes an insecure deserialization weakness (CWE-502) in APScheduler's JSONSerializer and CBORSerializer. The reported behavior is that unmarshal_object can instantiate arbitrary classes by importing modules dynamically and then applying attacker-influenced state via __setstate__. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network-reachable exploitation, low complexity, no privileges, and no user interaction, consistent with high-impact RCE risk. The source metadata references APScheduler and an external gist, but the corpus does not include the advisory text itself, so validation should be performed directly against the linked sources.

Defensive priority

Highest priority. This is a critical, unauthenticated, network-reachable RCE class issue with full confidentiality, integrity, and availability impact in the supplied CVSS metadata.

Recommended defensive actions

  • Identify every application and service that uses APScheduler serializers, including indirect dependencies and embedded frameworks.
  • Review any code paths that accept JSON or CBOR scheduler data from untrusted or semi-trusted sources.
  • Prefer disabling or replacing unsafe deserialization paths, or upgrading to a version that explicitly removes or hardens the affected serializers once a vendor fix is available.
  • Treat any untrusted serialized APScheduler payload as potentially weaponizable and restrict ingestion at trust boundaries.
  • Add compensating controls such as input source restriction, service isolation, and tight network access until remediation is complete.
  • Monitor for unexpected serializer activity, module imports, or object instantiation patterns in APScheduler-related workloads.
  • Validate the linked advisory and project repository for official remediation guidance and version-specific fixes.

Evidence notes

Evidence in this debrief is limited to the supplied CVE/NVD metadata and the referenced URLs listed in the source corpus. The corpus states APScheduler JSONSerializer and CBORSerializer are vulnerable to insecure deserialization leading to RCE, with CWE-502 and CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The linked gist and GitHub repository are referenced by the CVE record, but their contents were not provided in-corpus, so this debrief avoids unsupported version, fix, or exploitation claims beyond the supplied description.

Official resources

Published in the CVE record on 2026-05-19 and modified on 2026-05-20. No KEV entry was supplied in the corpus. NVD metadata marks the vulnerability status as Deferred.