CVE-2026-25632 is a critical vulnerability in the WaterFutures EPyT-Flow Python package, which is used to generate hydraulic and water quality scenario data for water distribution networks. Versions prior to 0.16.1 contain a flawed custom JSON deserializer (my_load_from_json) that processes JSON request bodies and files containing a 'type' field. This field allows the deserializer to dynamically import and instantiate arbitrary Python modules and classes specified by the attacker, passing attacker-controlled arguments. This mechanism can be abused to instantiate dangerous classes such as subprocess.Popen, enabling arbitrary OS command execution during JSON parsing. The vulnerability affects both the REST API and JSON file loading functionality, and requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS v3.1 base score is 10.0, reflecting the critical impact on confidentiality, integrity, and availability, as well as the ease of exploitation. The vulnerability was publicly disclosed on February 6, 2026, and fixed in EPyT-Flow version 0.16.1. No known exploits in the wild have been reported yet. The flaw is categorized under CWE-502: Deserialization of Untrusted Data, a common and dangerous class of vulnerabilities that can lead to remote code execution when deserializing data from untrusted sources without proper validation or restrictions.

The impact of CVE-2026-25632 on European organizations is significant, particularly for entities involved in water infrastructure management, environmental research, and utilities that rely on EPyT-Flow for hydraulic and water quality modeling. Successful exploitation allows attackers to execute arbitrary commands on the underlying operating system, potentially leading to full system compromise. This can result in unauthorized data access or modification, disruption of water distribution simulations, and sabotage of critical infrastructure modeling. The integrity and availability of water management systems could be severely affected, leading to operational outages or incorrect decision-making based on manipulated data. Given the critical nature of water infrastructure in Europe and its importance for public health and safety, this vulnerability poses a high risk. Additionally, the lack of authentication and user interaction requirements means attackers can exploit this vulnerability remotely and stealthily, increasing the threat level. Organizations may also face regulatory and compliance repercussions if the vulnerability leads to data breaches or service disruptions.

To mitigate CVE-2026-25632, European organizations should immediately upgrade EPyT-Flow to version 0.16.1 or later, where the vulnerability is fixed. Until the upgrade is applied, restrict network access to the EPyT-Flow REST API to trusted internal networks only, using firewalls or VPNs. Implement strict input validation and sanitization on JSON data before deserialization to prevent malicious payloads. Employ application-layer security controls such as web application firewalls (WAFs) that can detect and block suspicious JSON payloads containing unexpected 'type' fields or dynamic import attempts. Monitor system and application logs for unusual process creation or command execution patterns indicative of exploitation attempts. Consider running EPyT-Flow in a sandboxed or containerized environment with minimal privileges to limit the impact of potential compromise. Regularly audit and update dependencies and monitor vendor advisories for further patches or mitigations. Finally, conduct security awareness training for developers and operators on the risks of insecure deserialization and secure coding practices.