Which versions of FedML-AI FedML are affected by CVE-2026-5536?

CVE-2026-5536 affects FedML-AI's gRPC server (versions ≤0.8.9), permitting unauthenticated remote code execution through unsafe deserialization that compromises confidentiality, integrity, and…

FedML-AI FedML CVE-2026-5536

Q: What is the CVSS score of CVE-2026-5536?

CVE-2026-5536 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19021 MEDIUM

Deserialization of Untrusted Data (CWE-502)

2026-04-05 VulDB

Deserialization

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 05, 2026 - 04:00 euvd

EUVD-2026-19021

Analysis Generated

Apr 05, 2026 - 04:00 vuln.today

CVE Published

Apr 05, 2026 - 02:45 nvd

MEDIUM 6.9

DescriptionNVD

A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpc_server.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unsafe deserialization in FedML-AI FedML's gRPC server allows unauthenticated remote attackers to achieve confidentiality, integrity, and availability compromise through malicious payloads sent to the sendMessage function in versions up to 0.8.9. EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. …

RemediationAI

Within 24 hours: Inventory all FedML deployments and document version numbers across development, staging, and production environments; verify network segmentation isolating gRPC endpoints. Within 7 days: Implement network-level access controls restricting sendMessage function access to trusted internal subnets only; disable FedML instances if no legitimate external connectivity required; establish monitoring for suspicious deserialization patterns. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-5536 vulnerability details – vuln.today

Back

FedML-AI FedML CVE-2026-5536

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

FedML-AI FedML CVE-2026-5536

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code