External risk intelligence

Picklescan Universal Blocklist Bypass Allows Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-3490

A vulnerability in the picklescan code analysis tool allows remote attackers to bypass blocklists and execute arbitrary code by resolving dangerous functions through indirect calls. This could lead to unauthorized system control if the tool is used in a reachable environment. This issue may impact systems employing pic

Remote Code Execution

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

Picklescan is a developer-oriented security utility used primarily during build-time, scanning, or development workflows to analyze files for malicious code. It is a library or tool used within local development environments or CI/CD pipelines, not a service or application designed to be exposed to the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability in picklescan, a tool used for code analysis, has been identified that could allow attackers to bypass security blocklists and execute arbitrary code. This could potentially lead to unauthorized access and control over systems where this tool is utilized.

  • Code analysis tool has a security bypass flaw.
  • Prevents arbitrary code execution if exploited.
  • Confirm relevance and exposure of this tool.

Attack Path

How an attacker could exploit the issue

An attacker could reach this vulnerability by sending specially crafted input to a system that uses the vulnerable component. This component, when processing such input, would allow the attacker to bypass security controls and execute arbitrary code.

  • No authentication or user interaction needed.
  • Bypasses blocklist via indirect calls.
  • Enables remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, remote attackers could bypass security checks to execute arbitrary code on a system by invoking dangerous functions like `os.system` through indirect calls.

  • System commands could be executed.
  • Attackers could bypass blocklists.
  • Unintended code execution may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

The primary responsibility for addressing this vulnerability likely lies with development teams who integrate the affected tooling into their build or analysis pipelines. The first practical step is to identify all instances where this tool is used, confirm its reachability within the development or CI/CD environment, and then engage the accountable development lead or platform team to plan remediation, which may involve updating the tool or mitigating its use.

  • Development or platform teams own remediation.
  • Verify tool usage in development pipelines.
  • Plan updates or mitigate tool usage.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-3490 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows remote code execution by bypassing blocklists, which is a critical issue for PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is picklescan and how is it used?

Picklescan is a security utility designed to inspect Python pickle files for malicious content. Developers and security engineers typically incorporate it into build-time processes, automated scanning workflows, or CI/CD pipelines to ensure that deserialized data does not contain harmful code before it is processed by an application.

What does CVE-2026-3490 mean for picklescan's blocklist?

This vulnerability is classified as CWE-183: Permissive List of Allowed Inputs. It means the tool's security mechanism for filtering dangerous functions is flawed. Because the tool fails to restrict the 'pkgutil.resolve_name' function, an attacker can use it to indirectly call and execute prohibited system commands, effectively rendering the tool's protections useless.

How does an attacker trigger this vulnerability?

An attacker triggers the flaw by providing a maliciously crafted pickle file to a system using the affected tool. By leveraging indirect calls, the attacker bypasses the internal blocklist to run unauthorized functions. It is important to note that simply using the tool in environments that do not process untrusted or external pickle files significantly limits the opportunity for this specific exploitation path.

Do I need to worry about this if my code is internal?

According to Halo Surface Signal, this vulnerability is considered very unlikely to be exposed to the public internet because picklescan is a build-time utility, not a public-facing service. Your primary concern should be if your CI/CD pipelines or local development environments process pickle files from untrusted or external sources, which could introduce the risk regardless of whether the system itself is internet-facing.

How should I respond to CVE-2026-3490?

Start by auditing your development and CI/CD pipelines to identify where picklescan is integrated. Once identified, consult your development team to confirm the tool's version and reachability. The most effective step is to update picklescan to version 1.0.4 or later, which resolves the blocklist bypass. If updating immediately is not possible, evaluate whether the processing of untrusted pickle files can be restricted or isolated.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished