Unrated severityNVD Advisory· Published Mar 18, 2026· Updated Mar 19, 2026
OmniGen2-RL Reward Server Unsafe Deserialization RCE
CVE-2026-25873
Description
OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary commands by sending malicious HTTP POST requests. Attackers can exploit insecure pickle deserialization of request bodies to achieve code execution on the host system running the exposed service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
References
7- github.com/VectorSpaceLab/OmniGen2/pull/139mitrepatch
- chocapikk.com/posts/2026/omnigen2-pickle-rce/mitretechnical-descriptionexploit
- www.vulncheck.com/advisories/omnigen2-rl-reward-server-unsafe-deserialization-rcemitrethird-party-advisory
- arxiv.org/abs/2506.18871mitreproduct
- github.com/VectorSpaceLab/OmniGen2/blob/3a13017e532f9f309a38bca571fd62200a6415c5/OmniGen2-RL/reward_server/reward_proxy.pymitrerelated
- github.com/VectorSpaceLab/OmniGen2/blob/3a13017e532f9f309a38bca571fd62200a6415c5/OmniGen2-RL/reward_server/reward_proxy.pymitrerelated
- github.com/VectorSpaceLab/OmniGen2/blob/3a13017e532f9f309a38bca571fd62200a6415c5/OmniGen2-RL/reward_server/reward_server.pymitrerelated
News mentions
0No linked articles in our index yet.