Description
NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code execution, and denial of service.
Published: 2026-04-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in NVIDIA’s NVFlare Dashboard allows an unauthenticated attacker to bypass the authorization mechanism through a user‑controlled key. This bypass can be leveraged to gain elevated privileges, tamper with data, disclose sensitive information, execute arbitrary code, or disrupt service availability.

Affected Systems

NVIDIA FLARE SDK is affected by this flaw.

Risk and Exploitability

The CVSS score of 9.8 indicates a high‑risk vulnerability, and the EPSS score is not available, suggesting that the exploitation likelihood is uncertain but potentially significant. It is not listed in the CISA KEV catalog. Because the description explicitly states that an unauthenticated attacker can achieve an authorization bypass, the likely attack vector involves manipulating user‑controlled input (e.g., a key) supplied via the dashboard’s authentication interfaces, though the precise method is not detailed in the available data.

Generated by OpenCVE AI on April 28, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official vendor patch for NVIDIA FLARE SDK as soon as it becomes available
  • Restrict access to the dashboard by placing it behind a firewall or network segment that enforces strict authentication and network access policies
  • Ensure that any user‑controlled keys are validated against a secure hash or signature before use, and audit authentication logs for unexpected key manipulation attempts

Generated by OpenCVE AI on April 28, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Nvidia nvflare
CPEs cpe:2.3:a:nvidia:nvflare:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Nvidia nvflare

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia
Nvidia flare Sdk
Vendors & Products Nvidia
Nvidia flare Sdk

Tue, 28 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Authorization Bypass via User‑Controlled Key in NVIDIA FLARE Dashboard

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code execution, and denial of service.
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Apple Macos
Linux Linux Kernel
Nvidia Flare Sdk Nvflare
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-04-29T15:12:11.976Z

Reserved: 2026-01-21T19:09:31.778Z

Link: CVE-2026-24178

cve-icon Vulnrichment

Updated: 2026-04-29T13:42:56.516Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T19:36:45.127

Modified: 2026-05-04T14:34:01.557

Link: CVE-2026-24178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:34Z

Weaknesses