Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Matched vendor AV:L/UI:R (local processing of crafted input); scored C:H for information disclosure but I:N/A:N since the description supports only confidentiality impact, unlike the vendor's I:H/A:H.
Primary rating from Vendor (nvidia).
CVSS VectorVendor: nvidia
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause server-side request forgery. A successful exploit of this vulnerability might lead to information disclosure.
Articles & Coverage 1
AnalysisAI
Server-side request forgery in NVIDIA Megatron Bridge for Linux allows an attacker to coerce the software into issuing attacker-controlled requests, potentially leading to disclosure of sensitive information. The flaw (CWE-918) was reported by NVIDIA itself and carries a vendor CVSS 3.1 score of 7.8; notably the vector is scored as local with required user interaction (AV:L/UI:R) rather than a classic remote SSRF, which security teams should reconcile against the SSRF classification. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an operator to process attacker-influenced input in Megatron Bridge - the CVSS vector's UI:R means a victim must take an action (loading a crafted model, dataset, or configuration reference), and AV:L means the trigger is local to the environment running the library rather than a directly network-reachable service. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious model, dataset, or configuration reference and induces an operator to load it in Megatron Bridge (satisfying the UI:R requirement); when processed, the library issues a request to an attacker-chosen internal endpoint such as a cloud metadata service, returning sensitive data like credentials or internal service responses to the attacker. Because AV:L/AC:L/PR:N applies, the attack needs local processing of the crafted input but no prior privileges. … |
| Remediation | Consult the NVIDIA product-security advisory at https://github.com/NVIDIA/product-security/tree/main/2026/5841 for the fixed release and upgrade Megatron Bridge to the patched version; an exact fix version was not provided in this data, so treat it as 'Patch available per vendor advisory' and confirm the version from that advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running NVIDIA Megatron Bridge and document user access scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Megatron Bridge
View allArbitrary code execution in NVIDIA Megatron Bridge for Linux stems from improper control of code generation (CWE-94), al
Arbitrary code execution in NVIDIA Megatron Bridge (all versions per the NVIDIA advisory) arises from unsafe deserializa
Insecure deserialization in NVIDIA Megatron Bridge for Linux (CWE-502) lets an attacker who supplies a crafted serialize
Arbitrary code execution in NVIDIA Megatron Bridge on Linux arises from unsafe reflection (CWE-470), where externally-co
Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux (CWE-502) can lead to arbitrary code execution, pr
Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux allows a low-privileged local attacker to achieve
Local code execution and privilege escalation in NVIDIA Megatron Bridge (Linux) stems from unsafe handling of dynamicall
Local privilege escalation and code execution in NVIDIA Megatron Bridge for Linux stems from unsafe deserialization of a
Arbitrary code execution in NVIDIA Megatron Bridge for Linux arises from unsafe deserialization of untrusted data (CWE-5
Arbitrary code execution and privilege escalation in NVIDIA Megatron Bridge on Linux arises from unsafe deserialization
NVIDIA Megatron Bridge contains a vulnerability in a data shuffling tutorial, where malicious input could cause a code i
NVIDIA Megatron Bridge contains a vulnerability in a data merging tutorial, where malicious input could cause a code inj
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41040
GHSA-w6mv-qpwp-2h37