diff --git a/murano/engine/yaql_yaml_loader.py b/murano/engine/yaql_yaml_loader.py
index bc12e58d7..7678fe224 100644
--- a/murano/engine/yaql_yaml_loader.py
+++ b/murano/engine/yaql_yaml_loader.py
@@ -43,7 +43,7 @@ def get_loader(version):
                 node.end_mark.line + 1,
                 node.end_mark.column + 1)
 
-        class MuranoPlYamlConstructor(yaml.constructor.Constructor):
+        class MuranoPlYamlConstructor(yaml.constructor.SafeConstructor):
             def construct_yaml_map(self, node):
                 data = MuranoPlDict()
                 data.source_file_position = build_position(node)
@@ -51,7 +51,7 @@ def get_loader(version):
                 value = self.construct_mapping(node)
                 data.update(value)
 
-        class YaqlYamlLoader(yaml.Loader, MuranoPlYamlConstructor):
+        class YaqlYamlLoader(yaml.SafeLoader, MuranoPlYamlConstructor):
             pass
 
         YaqlYamlLoader.add_constructor(
@@ -60,7 +60,7 @@ def get_loader(version):
 
         # workaround for PyYAML bug: http://pyyaml.org/ticket/221
         resolvers = {}
-        for k, v in yaml.Loader.yaml_implicit_resolvers.items():
+        for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
             resolvers[k] = v[:]
         YaqlYamlLoader.yaml_implicit_resolvers = resolvers
 
diff --git a/murano/tests/functional/common/utils.py b/murano/tests/functional/common/utils.py
index 94141a24e..6c0e1760b 100644
--- a/murano/tests/functional/common/utils.py
+++ b/murano/tests/functional/common/utils.py
@@ -249,7 +249,7 @@ class DeployTestMixin(zip_utils.ZipUtilsMixin):
         """
         component = service.to_dict()
         component = json.dumps(component)
-        return yaml.load(component)
+        return yaml.safe_load(component)
 
     @classmethod
     def get_service_id(cls, service):
diff --git a/murano/tests/unit/policy/test_congress_rules.py b/murano/tests/unit/policy/test_congress_rules.py
index 21cfb41b8..7e9ef7734 100644
--- a/murano/tests/unit/policy/test_congress_rules.py
+++ b/murano/tests/unit/policy/test_congress_rules.py
@@ -87,7 +87,7 @@ class TestCongressRules(unittest.TestCase):
             os.path.dirname(inspect.getfile(self.__class__)), file_name)
 
         with open(model_file) as stream:
-            return yaml.load(stream)
+            return yaml.safe_load(stream)
 
     def _create_rules_str(self, model_file, package_loader=None):
         model = self._load_file(model_file)
diff --git a/releasenotes/notes/safeloader-cve-2016-4972-19035a2a091ec30a.yaml b/releasenotes/notes/safeloader-cve-2016-4972-19035a2a091ec30a.yaml
new file mode 100644
index 000000000..f022c5c7e
--- /dev/null
+++ b/releasenotes/notes/safeloader-cve-2016-4972-19035a2a091ec30a.yaml
@@ -0,0 +1,9 @@
+---
+security:
+  - cve-2016-4972 has been addressed. In ceveral places
+    Murano used loaders inherited directly from yaml.Loader
+    when parsing MuranoPL and UI files from packages.
+    This is unsafe, because this loader is capable of creating
+    custom python objects from specifically constructed
+    yaml files. With this change all yaml loading operations are done
+    using safe loaders instead.