Skip to main content

Horovod CVE-2026-31234

| EUVDEUVD-2026-29557 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-05-12 mitre GHSA-mf8f-x4r3-jm8c
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 20:23 vuln.today
CVSS changed
May 14, 2026 - 20:22 NVD
9.8 (CRITICAL)
CVE Published
May 12, 2026 - 00:00 nvd
CRITICAL 9.8
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 12 pypi packages depend on horovod (12 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.28.1.

DescriptionCVE.org

Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.

AnalysisAI

Remote code execution in Horovod distributed training framework (versions through 0.28.1) allows unauthenticated network attackers to execute arbitrary code on worker nodes by injecting malicious pickle payloads into the KVStore HTTP server. The vulnerability combines unauthenticated write access to the KVStore coordination server with unsafe deserialization using cloudpickle.loads(), enabling trivial exploitation against any reachable Horovod cluster. EPSS score of 0.12% (31st percentile) suggests low widespread exploitation probability despite critical CVSS 9.8 rating, and no active exploitation confirmed (not in CISA KEV). Public exploit development is highly feasible given the straightforward attack path and publicly documented details.

Technical ContextAI

Horovod is a distributed deep learning training framework for TensorFlow, Keras, PyTorch, and Apache MXNet. The vulnerability resides in the KVStore component, an HTTP-based key-value server used for coordinating distributed training tasks across worker nodes. The root cause (CWE-502: Deserialization of Untrusted Data) occurs when workers retrieve data from KVStore via HTTP GET and blindly deserialize it using Python's cloudpickle.loads() function without integrity verification. The KVStore HTTP server accepts unauthenticated PUT requests, allowing any network-accessible attacker to poison the stored data with malicious pickle payloads. Python pickle deserialization is inherently unsafe when handling untrusted data because pickle can encode arbitrary object construction instructions, including calls to os.system(), subprocess, or __reduce__ magic methods that execute code during deserialization. CPE data shows minimal product identification (cpe:2.3:a:n/a:n/a), but GitHub reference confirms the Horovod project as the affected component.

RemediationAI

No vendor-released patch version is confirmed in available references - the Horovod GitHub repository link (https://github.com/horovod/horovod) does not specify a fixed release version. Organizations should monitor the official Horovod repository for security patches addressing CVE-2026-31234 and upgrade immediately when available. Until a patch is released, implement network segmentation to restrict KVStore HTTP server access to trusted internal networks only - use firewall rules to block external access to KVStore ports (typically custom ports in the 8000-9000 range depending on configuration). Consider deploying a reverse proxy with authentication middleware in front of KVStore endpoints to enforce access controls, though this requires modifying the deployment architecture and may impact worker coordination performance. For high-security environments, disable the KVStore HTTP server entirely if alternative coordination mechanisms are available in your Horovod deployment model, though this may limit distributed training capabilities. Each mitigation has trade-offs: network segmentation assumes internal network trust, reverse proxy adds latency and complexity, and disabling KVStore may break existing training workflows. Verify mitigation effectiveness by attempting unauthorized PUT requests from untrusted network segments.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-31234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy