Skip to main content

NVIDIA AIStore CVE-2026-24270

| EUVDEUVD-2026-41028 CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-07-01 nvidia GHSA-68qm-9rgj-p4pg
9.8
CVSS 3.1 · Vendor: nvidia
Share

Severity by source

Vendor (nvidia) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Remote unauthenticated authentication bypass (AV:N/AC:L/PR:N/UI:N) granting full read, write, and DoS over stored data justifies C:H/I:H/A:H; scope unchanged as impact stays within the storage service.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (nvidia).

CVSS VectorVendor: nvidia

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 15:52 vuln.today

DescriptionCVE.org

NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.

AnalysisAI

Authentication bypass in NVIDIA AIStore, a scalable distributed object-storage framework for AI/ML data pipelines, lets a remote attacker circumvent access controls (CWE-290) and reach protected functionality without valid credentials. Because the flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8), successful exploitation can enable information disclosure of stored datasets, tampering with training data, privilege escalation, and denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed AIStore API endpoint
Delivery
Send request spoofing trusted identity
Exploit
Bypass authentication check
Execution
Access protected storage operations
Impact
Exfiltrate or tamper with objects / trigger DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to an exposed AIStore API endpoint (proxy/gateway or target node) that performs the flawed authentication check; per the CVSS vector AV:N/AC:L/PR:N/UI:N, no credentials, user interaction, or elevated privileges are needed against affected configurations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are consistent toward high priority: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes remote, low-complexity, unauthenticated exploitation with total impact, and an authentication-bypass root cause aligns cleanly with PR:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reach to an AIStore cluster's API sends crafted requests that defeat the identity check, gaining unauthorized access as if authenticated. From there they enumerate and exfiltrate stored training datasets (information disclosure), overwrite or poison objects (data tampering/integrity), or overwhelm/misconfigure the cluster to cause denial of service. …
Remediation Consult the NVIDIA product-security advisory at https://github.com/NVIDIA/product-security/tree/main/2026/5849 and upgrade AIStore to the fixed release identified there; no vendor-released patch version was independently confirmed in the available data, so the advisory is the authoritative source for the exact fixed build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all AIStore deployments and assess production vs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-24270 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy