CVE-2026-7584: LabOne Q Deserialization Leads to Arbitrary Code Execution

/HIGH /CVSS 7.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-502
CVE-2026-7584: LabOne Q Deserialization Leads to Arbitrary Code Execution

The National Vulnerability Database highlights CVE-2026-7584, a critical deserialization vulnerability within LabOne Q’s serialization framework. This flaw, rated 7.8 (HIGH) on the CVSS scale, stems from the import_cls mechanism, which dynamically imports and instantiates Python classes during deserialization. Prior to the patch, this mechanism accepted unvalidated, arbitrary fully-qualified class names from serialized data, lacking any restrictions on module imports.

An attacker could exploit this by crafting a malicious serialized experiment file. When loaded by a victim using LabOne Q’s deserialization functions—for instance, a compromised file shared for collaboration or support—it would force the engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments. This directly leads to arbitrary code execution within the context of the user running the Python process.

This is a classic CWE-502 vulnerability. It underscores the danger of unchecked deserialization, where trusted data structures can be weaponized to execute hostile code. Defenders need to recognize that seemingly benign file exchanges, even within trusted circles, can become vectors for severe compromise if underlying software libraries are not robustly secured against such deserialization abuses.

What This Means For You

  • If your organization uses LabOne Q or any software that processes serialized data from untrusted sources, you need to treat this as a red alert. Review your data exchange protocols, especially for collaborative or support-related file sharing. Ensure all instances of LabOne Q are patched to address CVE-2026-7584 immediately. This isn't theoretical; it's a direct path to arbitrary code execution, and attackers will absolutely leverage it.

Related ATT&CK Techniques

T1574.002 Hijack Execution Flow: DLL Side-Loading Execution T1059.006 Command and Scripting Interpreter: Python Execution T1505.003 Server Software Component: Code Execution Through Vulnerability Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1574.002 Execution

CVE-2026-7584: LabOne Q Arbitrary Code Execution via Deserialization

Sigma YAML — free preview 
title: CVE-2026-7584: LabOne Q Arbitrary Code Execution via Deserialization
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
  Detects the use of common Python deserialization functions (pickle.loads, yaml.load, json.loads) by Python processes. This is a core mechanism exploited by CVE-2026-7584, where crafted serialized data can lead to arbitrary code execution when deserialized by LabOne Q.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7584/
tags:
  - attack.execution
  - attack.t1574.002
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'python.exe'
          - 'pythonw.exe'
      CommandLine|contains:
          - 'pickle.loads'
          - 'yaml.load'
          - 'json.loads'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7584 RCE LabOne Q serialization framework
CVE-2026-7584 Deserialization LabOne Q 'import_cls' mechanism
CVE-2026-7584 Code Injection Arbitrary Python class instantiation via serialized experiment file

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 01, 2026 at 11:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

OpenStack Ironic Python Agent Vulnerability CVE-2026-43003 Allows Code Execution

CVE-2026-43003 — An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the...

vulnerabilityCVEhigh-severitycode-executioncwe-829
/SCW Vulnerability Desk /HIGH /8 /⚑ 3 IOCs /⚙ 2 Sigma

OpenStack Keystone CVE-2026-43001 Allows Cross-Project Lateral Movement

CVE-2026-43001 — An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential...

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /7.9 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-42403: Apache Neethi DoS Vulnerability via Circular References

CVE-2026-42403 — Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references...

vulnerabilityCVEhigh-severitydenial-of-servicecwe-400
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 1 IOC /⚙ 2 Sigma