VYPR
Critical severity9.8NVD Advisory· Published May 12, 2026· Updated May 14, 2026

CVE-2026-31234

CVE-2026-31234

Description

Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
horovodPyPI
<= 0.28.1

Affected products

2
  • Horovod/Horovodreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=0.28.1

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.