CVE-2019-16328
Description
RPyC 4.1.x before 4.1.2 allows remote authenticated attackers to bypass security checks and execute arbitrary code by dynamically modifying exposed object attributes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RPyC 4.1.x before 4.1.2 allows remote authenticated attackers to bypass security checks and execute arbitrary code by dynamically modifying exposed object attributes.
Vulnerability
Overview
CVE-2019-16328 is an authenticated remote code execution vulnerability in RPyC (Remote Python Call) versions 4.1.0 and 4.1.1. The root cause is a missing security check that allows a remote attacker to dynamically modify object attributes on an exposed service [2][3]. By leveraging Python's dynamic nature, an attacker can construct a remote procedure call that alters the behavior of the service, bypassing the default security configuration intended to restrict access to dangerous objects [1][3].
Exploitation
Conditions
Exploitation requires valid authentication to the RPyC service. The vulnerable code was introduced in a commit made in September 2018 and persisted until October 2019 [2][3]. An attacker can target custom services that expose objects, then traverse accessible attributes (such as builtins.str, builtins.type, builtins.object, or builtins.dict) to reach critical modules like sys.modules [3]. The default configuration attempts to mitigate such access but was insufficient in these versions.
Impact
A successful attack grants the attacker arbitrary code execution within the context of the RPyC server process. This could lead to full compromise of the server, data exfiltration, or lateral movement within the network [2][3]. The vulnerability is notable because it is the first RPyC security flaw since 2008, highlighting a regression in the library's otherwise strict security defaults [3].
Mitigation
The vulnerability is fixed in RPyC version 4.1.2 [2][3]. Users should upgrade immediately. If upgrading is not possible, applying the commit d818ecc83a92548994db75a0e9c419c7bce680d6 can serve as a patch [2]. As a general security practice, RPyC services should not be exposed directly to the Internet and should be run over trusted networks or secure connections (e.g., SSH tunnels) [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rpycPyPI | >= 4.1.0, < 4.1.1 | 4.1.1 |
Affected products
7- RPyC/RPyCdescription
- ghsa-coords6 versionspkg:pypi/rpycpkg:rpm/opensuse/python-rpyc&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/python-rpyc&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-rpyc-test&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/python-rpyc&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/python-rpyc-test&distro=SUSE%20Package%20Hub%2015%20SP1
>= 4.1.0, < 4.1.1+ 5 more
- (no CPE)range: >= 4.1.0, < 4.1.1
- (no CPE)range: < 4.1.5-lp151.3.3.1
- (no CPE)range: < 6.0.0-1.2
- (no CPE)range: < 4.1.5-lp151.3.3.1
- (no CPE)range: < 4.1.5-bp151.2.3.1
- (no CPE)range: < 4.1.5-bp151.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2020-05/msg00046.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-06/msg00004.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-pj4g-4488-wmxmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16328ghsaADVISORY
- github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-pj4g-4488-wmxmghsaWEB
- rpyc.readthedocs.io/en/latest/docs/security.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.