Description
NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A successful exploit of this vulnerability might lead to code execution.
Published: 2026-04-28
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NVIDIA FLARE SDK contains a flaw in the FOBS component that allows an attacker to send a maliciously crafted FOBS-encoded message. The SDK will deserialize the data without proper validation, which can trigger arbitrary code execution. The vulnerability is a classic case of Deserialization of Untrusted Data (CWE-502), and a successful exploit could compromise the confidentiality, integrity, and availability of the affected system.

Affected Systems

All installations of NVIDIA FLARE SDK are potentially affected. The exact version numbers that contain the flaw are not specified, so every deployed instance should be considered at risk until a vendor patch is released.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Although the input does not state the attack vector, the description of a message that can be sent suggests that the exploit can be performed remotely over a network connection to a system running FLARE SDK. Given the risk rating and the lack of an official patch at this time, the potential for exploitation remains significant.

Generated by OpenCVE AI on April 28, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or update as soon as it becomes available.
  • If a patch cannot be applied immediately, limit or disable the FOBS message handling functionality to prevent untrusted data from being processed.
  • Monitor network traffic for unexpected or malformed FOBS messages and log any anomalies for further investigation.
  • Implement input validation or switch to a safer deserialization library to mitigate the CWE-502 weakness.

Generated by OpenCVE AI on April 28, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Nvidia
Nvidia flare Sdk
Vendors & Products Nvidia
Nvidia flare Sdk

Tue, 28 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Title Deserialization of Untrusted Data in NVIDIA FLARE SDK FOBS Leading to Code Execution

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A successful exploit of this vulnerability might lead to code execution.
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nvidia Flare Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: nvidia

Published:

Updated: 2026-04-28T17:45:40.517Z

Reserved: 2026-01-21T19:09:32.732Z

Link: CVE-2026-24186

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:36:45.277

Modified: 2026-04-28T20:10:42.070

Link: CVE-2026-24186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:32Z

Weaknesses