{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:zhinst:labone_q:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "2.41.0"
              },
              {
                "fixed": "26.1.2"
              }
            ],
            "source": "CPE_RANGE"
          },
          "events": [
            {
              "introduced": "1827ba7dafd216f32abb66d55025e02328d43552"
            },
            {
              "fixed": "5cbdd22332f0d3ed2e1343e396ecd1161a064286"
            }
          ],
          "repo": "https://github.com/zhinst/laboneq",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "NCSC.ch",
    "cwe_ids": [
      "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7584.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "2.41.0"
          },
          {
            "fixed": "26.1.2"
          },
          {
            "introduced": "26.4.0b1"
          },
          {
            "last_affected": "26.4.0b5"
          }
        ],
        "source": "AFFECTED_FIELD"
      }
    ]
  },
  "details": "The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target class or restriction on which modules could be imported. An attacker can craft a serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, resulting in arbitrary code execution in the context of the user running the Python process. Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example a compromised experiment file shared for collaboration or support purposes.",
  "id": "CVE-2026-7584",
  "modified": "2026-07-15T01:49:08.767156185Z",
  "published": "2026-05-01T07:21:18.781Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7584.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7584"
    },
    {
      "type": "ADVISORY",
      "url": "https://www.zhinst.com/support/security/2026/zi-sa-2026-002/"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/laboneq/"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Arbitrary Code Execution via Unsafe Deserialization in LabOne Q"
}