Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 12 pypi packages depend on horovod (12 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.28.1.
DescriptionCVE.org
Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.
AnalysisAI
Remote code execution in Horovod distributed training framework (versions through 0.28.1) allows unauthenticated network attackers to execute arbitrary code on worker nodes by injecting malicious pickle payloads into the KVStore HTTP server. The vulnerability combines unauthenticated write access to the KVStore coordination server with unsafe deserialization using cloudpickle.loads(), enabling trivial exploitation against any reachable Horovod cluster. EPSS score of 0.12% (31st percentile) suggests low widespread exploitation probability despite critical CVSS 9.8 rating, and no active exploitation confirmed (not in CISA KEV). Public exploit development is highly feasible given the straightforward attack path and publicly documented details.
Technical ContextAI
Horovod is a distributed deep learning training framework for TensorFlow, Keras, PyTorch, and Apache MXNet. The vulnerability resides in the KVStore component, an HTTP-based key-value server used for coordinating distributed training tasks across worker nodes. The root cause (CWE-502: Deserialization of Untrusted Data) occurs when workers retrieve data from KVStore via HTTP GET and blindly deserialize it using Python's cloudpickle.loads() function without integrity verification. The KVStore HTTP server accepts unauthenticated PUT requests, allowing any network-accessible attacker to poison the stored data with malicious pickle payloads. Python pickle deserialization is inherently unsafe when handling untrusted data because pickle can encode arbitrary object construction instructions, including calls to os.system(), subprocess, or __reduce__ magic methods that execute code during deserialization. CPE data shows minimal product identification (cpe:2.3:a:n/a:n/a), but GitHub reference confirms the Horovod project as the affected component.
RemediationAI
No vendor-released patch version is confirmed in available references - the Horovod GitHub repository link (https://github.com/horovod/horovod) does not specify a fixed release version. Organizations should monitor the official Horovod repository for security patches addressing CVE-2026-31234 and upgrade immediately when available. Until a patch is released, implement network segmentation to restrict KVStore HTTP server access to trusted internal networks only - use firewall rules to block external access to KVStore ports (typically custom ports in the 8000-9000 range depending on configuration). Consider deploying a reverse proxy with authentication middleware in front of KVStore endpoints to enforce access controls, though this requires modifying the deployment architecture and may impact worker coordination performance. For high-security environments, disable the KVStore HTTP server entirely if alternative coordination mechanisms are available in your Horovod deployment model, though this may limit distributed training capabilities. Each mitigation has trade-offs: network segmentation assumes internal network trust, reverse proxy adds latency and complexity, and disabling KVStore may break existing training workflows. Verify mitigation effectiveness by attempting unauthorized PUT requests from untrusted network segments.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29557
GHSA-mf8f-x4r3-jm8c