CVE Catalog

CVE-2026-31234

Critical
Published: Translated: NVD NIST

Summary

Horovod up to version 0.28.1 contains an insecure deserialization vulnerability in its KVStore HTTP server component. The lack of authentication and authorization controls allows any remote attacker to send arbitrary data via HTTP PUT requests, leading to the potential execution of malicious code.

Risk Assessment

The organization is at risk of remote code execution, which could result in data loss, system takeover, or other serious security incidents.

Recommendation

It is recommended to update Horovod to the latest version and implement appropriate authentication and authorization mechanisms for the KVStore server.

Original NVD description (English source)

Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS