CVE-2026-2970: datapizza-ai has unsafe deserialization via pickle.loads() in RedisCache

February 23, 2026 (updated February 25, 2026)

A vulnerability has been found in datapizza-labs datapizza-ai 0.0.7. Affected by this vulnerability is the function RedisCache of the file datapizza-ai-cache/redis/datapizza/cache/redis/cache.py. Such manipulation leads to deserialization. The attack requires being on the local network. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/advisories/GHSA-hg58-x52p-859c
github.com/datapizza-labs/datapizza-ai
github.com/hacktivesec/datapizza-ai-disclosure/blob/main/unsafe-deserialization.md
nvd.nist.gov/vuln/detail/CVE-2026-2970
vuldb.com/?ctiid.347337
vuldb.com/?id.347337
vuldb.com/?submit.755363

Code Behaviors & Features

Detect and mitigate CVE-2026-2970 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →