{"id":"CVE-2026-7584","summary":"Arbitrary Code Execution via Unsafe Deserialization in LabOne Q","details":"The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target class or restriction on which modules could be imported. An attacker can craft a serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, resulting in arbitrary code execution in the context of the user running the Python process. Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example a compromised experiment file shared for collaboration or support purposes.","modified":"2026-07-15T01:49:08.767156185Z","published":"2026-05-01T07:21:18.781Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"2.41.0"},{"fixed":"26.1.2"},{"introduced":"26.4.0b1"},{"last_affected":"26.4.0b5"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"NCSC.ch","cwe_ids":["CWE-502"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7584.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7584.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7584"},{"type":"ADVISORY","url":"https://www.zhinst.com/support/security/2026/zi-sa-2026-002/"},{"type":"PACKAGE","url":"https://pypi.org/project/laboneq/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zhinst/laboneq","events":[{"introduced":"1827ba7dafd216f32abb66d55025e02328d43552"},{"fixed":"5cbdd22332f0d3ed2e1343e396ecd1161a064286"}],"database_specific":{"cpe":"cpe:2.3:a:zhinst:labone_q:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.41.0"},{"fixed":"26.1.2"}],"source":"CPE_RANGE"}}],"versions":["26.1.1","26.1.0","26.1.0b4","26.1.0b3","26.1.0b2","26.1.0b1","25.10.2","25.10.1","25.10.0","2.62.0","2.61.0","2.60.1","2.60.0","2.59.0","2.58.0","2.57.0","2.56.0","2.55.0","2.54.0","2.53.0","2.52.0","2.51.0","2.50.0","2.49.0","2.48.0","2.47.0","2.46.0","2.45.0","2.44.0","2.43.0","2.42.0","2.41.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7584.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}