Which versions of Fedml are affected by CVE-2026-5536?

CVE-2026-5536 affects FedML-AI's gRPC server (versions ≤0.8.9), permitting unauthenticated remote code execution through unsafe deserialization that compromises confidentiality, integrity, and…

How to fix or mitigate CVE-2026-5536?

Within 24 hours: Inventory all FedML deployments and document version numbers across development, staging, and production environments; verify network segmentation isolating gRPC endpoints. Within 7 days: Implement network-level access controls restricting sendMessage function access to trusted internal subnets only; disable FedML instances if no legitimate external connectivity required; establish monitoring for suspicious deserialization patterns. Within 30 days: Evaluate migration to patched alternatives or vendor-maintained forks; if remaining on FedML ≤0.8.9, escalate to FedML maintainers for security response timeline or prepare decommissioning plan.

Fedml CVE-2026-5536

Q: What is the CVSS score of CVE-2026-5536?

CVE-2026-5536 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19021 MEDIUM

Deserialization of Untrusted Data (CWE-502)

2026-04-05 VulDB

Deserialization Fedml

6.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

6.9 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 05, 2026 - 04:00 euvd

EUVD-2026-19021

Analysis Generated

Apr 05, 2026 - 04:00 vuln.today

CVE Published

Apr 05, 2026 - 02:45 nvd

MEDIUM 6.9

DescriptionCVE.org

A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpc_server.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unsafe deserialization in FedML-AI FedML's gRPC server allows unauthenticated remote attackers to achieve confidentiality, integrity, and availability compromise through malicious payloads sent to the sendMessage function in versions up to 0.8.9. EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 3.1 base score of 7.3 (High) reflects a network-accessible vulnerability requiring no authentication (AV:N/AC:L/PR:N) with partial impact across all CIA triad components (C:L/I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated remote attacker identifies a FedML gRPC server exposed on the network, typically listening on default gRPC ports. The attacker crafts a malicious serialized Python object containing embedded code execution payloads and sends it to the vulnerable sendMessage function endpoint. …
Remediation	No vendor-released patch identified at time of analysis, as the vendor did not respond to coordinated disclosure attempts per the CVE description. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all FedML deployments and document version numbers across development, staging, and production environments; verify network segmentation isolating gRPC endpoints. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5536 vulnerability details – vuln.today

Back