Skip to main content

TinyZero CVE-2026-31226

| EUVDEUVD-2026-29510 CRITICAL
OS Command Injection (CWE-78)
2026-05-12 mitre GHSA-q43r-5xx6-v6jq
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:56 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
9.8 (CRITICAL)
CVE Published
May 12, 2026 - 00:00 nvd
CRITICAL 9.8
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 (2025-58-24) contains a critical command injection vulnerability (CWE-78) in its HDFS file operation utilities. The vulnerability arises from the unsafe construction and execution of shell commands via os.system() without proper input sanitization or escaping. User-controlled input (such as file paths) is directly interpolated into shell command strings using f-strings within the _copy() function. An attacker can inject arbitrary OS commands by supplying a specially crafted path parameter through the Hydra configuration framework. This leads to remote code execution with the privileges of the user running the TinyZero training process.

AnalysisAI

Remote code execution in TinyZero's HDFS utilities allows unauthenticated attackers to execute arbitrary OS commands via crafted file paths passed through the Hydra configuration framework. The vulnerability stems from unsanitized user input directly interpolated into os.system() shell commands within the _copy() function, affecting all deployments through commit 6652a63c57fa. No active exploitation confirmed at time of analysis, but EPSS score of 0.14% (33rd percentile) suggests below-average likelihood despite CVSS:9.8 critical rating. The attack requires network access to the TinyZero training process and ability to control path parameters via configuration.

Technical ContextAI

TinyZero is a machine learning project utilizing HDFS (Hadoop Distributed File System) operations for distributed storage. The vulnerability manifests in Python code where the _copy() function constructs shell commands using f-string interpolation before passing them to os.system() - a dangerous pattern that bypasses Python's built-in parameter escaping. The root cause is CWE-78 (OS Command Injection), occurring when external input flows into shell execution contexts without sanitization. The Hydra configuration framework, typically used for managing ML experiment hyperparameters, becomes an attack vector by allowing adversaries to inject path parameters containing shell metacharacters (semicolons, pipes, backticks, etc.). This represents a classic injection vulnerability where the application fails to distinguish between data and executable commands in a shell context.

RemediationAI

Immediate remediation requires replacing os.system() calls with subprocess.run() using list-based argument passing to prevent shell interpretation of metacharacters, specifically: subprocess.run(['hdfs', 'dfs', '-cp', source_path, dest_path], check=True). No vendor-released patch or fixed version number has been identified at time of analysis - the vulnerability affects the latest available commit. Organizations should implement input validation using allowlists for permitted path characters (alphanumeric, forward slash, hyphen, underscore only) and reject any input containing shell metacharacters (; | & $ ` \ < > ). As a temporary mitigation, restrict network access to the TinyZero training service endpoint to trusted internal networks only, and enforce that all Hydra configuration parameters originate from administrator-controlled sources rather than user input. Deploy the training process under a low-privilege service account with minimal filesystem permissions to limit impact scope. Note that input validation as the sole control carries risk of bypass - the architectural fix of eliminating shell invocation is strongly preferred.

Share

CVE-2026-31226 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy