CVE-2026-31234

EPSS 0.69%
Veröffentlicht 12.05.2026 00:00:00
Zuletzt bearbeitet 14.05.2026 20:17:02
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

CNA 0 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.69%	0.478

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/horovod/horovod

https://www.notion.so/CVE-2026-31234-35d1e139318881d585cde508b9d2453c

https://nvd.nist.gov/vuln/detail/CVE-2026-31234

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31234

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31234

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31234