CVE 9.8 CRITICAL

CVE-2026-31234_CVE-2026-31234

May 14, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.

AI Analysis

Insecure deserialization vulnerability in Horovod's KVStore HTTP server component, allowing remote code execution

Basic Information

ID CVE-2026-31234

Source mitre

Published May 12, 2026 at 00:00

Modified May 14, 2026 at 19:54

Affected Product

Vendor Horovod

Product Horovod

Version 0.28.1

Affected Versions n/a n/a n/a

CWE Classification

CWE-502

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Horovod

Product Horovod

Version 0.28.1

References

{
    "lastseen": "",
    "description": "Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.",
    "published": "2026-05-12T00:00:00.000Z",
    "modified": "2026-05-14T19:54:33.176Z",
    "type": "cve",
    "title": "CVE-2026-31234",
    "source": "mitre",
    "references": "https://github.com/horovod/horovod\nhttps://www.notion.so/CVE-2026-31234-35d1e139318881d585cde508b9d2453c",
    "id": "CVE-2026-31234",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Horovod",
    "version": "0.28.1",
    "vendor": "Horovod",
    "ai_description": "Insecure deserialization vulnerability in Horovod's KVStore HTTP server component, allowing remote code execution",
    "ai_severity": "Critical",
    "ai_vendor": "Horovod",
    "ai_product": "Horovod",
    "ai_version": "0.28.1",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply