Skip to main content

ByteDance verl CVE-2026-6878

| EUVDEUVD-2026-25146 LOW
Privilege Issues (CWE-265)
2026-04-23 VulDB GHSA-h57c-v2v3-5v3v
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.3 (MEDIUM) 2.9 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 23, 2026 - 07:07 vuln.today
CVSS changed
Apr 23, 2026 - 00:22 NVD
5.6 (MEDIUM) 6.3 (MEDIUM)
EUVD ID Assigned
Apr 23, 2026 - 00:15 euvd
EUVD-2026-25146
Analysis Generated
Apr 23, 2026 - 00:15 vuln.today
CVE Published
Apr 23, 2026 - 00:00 nvd
LOW 2.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on verl (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.7.1.

DescriptionCVE.org

A vulnerability was identified in ByteDance verl up to 0.7.0. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Sandbox bypass in ByteDance verl up to version 0.7.0 allows remote attackers to achieve limited information disclosure through manipulation of the math_equal function in prime_math/grader.py. The vulnerability requires high attack complexity and has been publicly documented with exploit code available, though the vendor has not responded to early disclosure attempts.

Technical ContextAI

The vulnerability exists in the math_equal function within the prime_math/grader.py module of ByteDance verl, a machine learning training framework. The root cause is classified under CWE-265 (Improper Privilege Management / Insecure Direct Object References), indicating insufficient validation or authorization checks in the sandboxed evaluation context. The vulnerability allows circumvention of sandbox protections designed to safely evaluate mathematical expressions, potentially exposing internal state or computation results. The affected versions span from 0.1 through 0.7.0, suggesting the vulnerability has existed since early releases.

RemediationAI

No vendor-released patch has been identified at time of analysis due to the vendor's non-response to disclosure. Users should immediately upgrade to a version newer than 0.7.0 if one becomes available; however, the absence of vendor communication means current deployments cannot rely on an official security release. As compensating controls, restrict network access to verl evaluation endpoints using firewall rules or API gateway authentication to limit remote attack surface, isolate verl services into separate network segments to contain potential information leakage, and disable or restrict access to the math_equal function in prime_math/grader.py if not critical to your use case (document functional impact before disabling). Monitor for unusual access patterns to grader.py or unexpected outputs from mathematical evaluation functions. Consider forking verl and applying a patch that adds input validation to the math_equal function, or switch to alternative machine learning training frameworks with more active security governance if this vulnerability blocks your deployment timeline.

Share

CVE-2026-6878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy