CVE-2026-24207 - Vulnerability Details

- Authentication Bypass Allowing Unauthorized Access, Code Execution, and Privilege Escalation in NVIDIA Triton Inference Server

Description

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure.

Published: 2026-05-20

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authentication bypass flaw exists in NVIDIA Triton Inference Server that permits an attacker to access services without valid credentials. Once authentication bypass is achieved, the attacker can execute arbitrary code on the host, elevate privileges, tamper with model data, cause denial of service, or exfiltrate sensitive information. This flaw is categorized as an Authentication Failure (CWE‑288) because the server fails to enforce required authentication policies.

Affected Systems

NVIDIA Triton Inference Server is affected. Specific version numbers were not disclosed in the advisory, so all current releases and potentially previous ones that have not applied the patch remain vulnerable until an update is deployed.

Risk and Exploitability

The CVSS base score of 9.8 marks the vulnerability as critical, and the lack of an EPSS score does not reduce the inherent risk. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation would likely occur over a network interface that exposes the inference service; an attacker would need to send specially crafted requests that trigger the authentication bypass logic, potentially enabling code execution. Successful exploitation could lead to full system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NVIDIA

Triton Inference Server

unaffected

Version	Status	Constraints
`All versions prior to r26.03`	affected	—

Configuration 1 [-]

AND

cpe:2.3:a:nvidia:triton_inference_server:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Nvidia

Triton Inference Server

100%

Version	Status	Scheme	Platform
`[0,r26.03)`	affected	generic	['linux']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy the latest NVIDIA Triton Inference Server release that contains the authentication bypass fix.
If a timely patch cannot be applied, restrict inbound access to the inference server to trusted IP ranges and enable network‑level authentication or VPN requirements.
Enable detailed logging of authentication attempts and monitor for anomalous access patterns that may indicate bypass attempts.

Generated by OpenCVE AI on May 20, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00096.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-24207
https://nvidia.custhelp.com/app/answers/detail/a_id/5828
https://www.cve.org/CVERecord?id=CVE-2026-24207

History

Wed, 20 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:a:nvidia:triton_inference_server:::::::: cpe:2.3:o:linux:linux_kernel:-:::::::*
Vendors & Products		Linux Linux linux Kernel

Wed, 20 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 20 May 2026 05:30:00 +0000

Type	Values Removed	Values Added
Title		Authentication Bypass Allowing Unauthorized Access, Code Execution, and Privilege Escalation in NVIDIA Triton Inference Server

Wed, 20 May 2026 04:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nvidia Nvidia triton Inference Server
Vendors & Products		Nvidia Nvidia triton Inference Server

Wed, 20 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure.
Weaknesses		CWE-288
References		https://nvd.nist.gov/vuln/detail/CVE-2026-24207 https://nvidia.custhelp.com/app/answers/detail/a_id/5828 https://www.cve.org/CVERecord?id=CVE-2026-24207
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Linux Linux Kernel

Nvidia Triton Inference Server

MITRE

Status: PUBLISHED

Assigner: nvidia

Published: 2026-05-20T02:42:30.714Z

Updated: 2026-05-20T12:26:06.901Z

Reserved: 2026-01-21T19:09:34.871Z

Link: CVE-2026-24207

Vulnrichment

Updated: 2026-05-20T12:26:02.895Z

NVD

Status : Analyzed

Published: 2026-05-20T04:16:45.960

Modified: 2026-05-20T17:30:43.320

Link: CVE-2026-24207

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-20T05:30:05Z

Weaknesses

CWE-288

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object