CVE-2026-6878 - Vulnerability Details

- ByteDance verl grader.py math_equal sandbox

Description

A vulnerability was identified in ByteDance verl up to 0.7.0. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-23

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In ByteDance verl, the math_equal function in prime_math/grader.py is vulnerable to a sandbox issue; the description indicates that remote attacks are possible. Based on the description, it is inferred that an attacker could potentially escape the sandbox and execute code beyond intended boundaries. This is a privilege escalation vulnerability (CWE‑264 and CWE‑265).

Affected Systems

ByteDance verl versions up to 0.7.0 are affected; the vulnerability resides in the prime_math/grader.py module. Any deployment using a 0.7.0 or earlier release must evaluate the risk.

Risk and Exploitability

The CVSS score of 6.3 indicates medium severity. The EPSS score of less than 1% suggests a low likelihood of widespread exploitation. However, the existence of a publicly available exploit and the remote nature of the attack raise concerns. It is inferred that the presence of an exploit may lower the effective barrier for skilled adversaries.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ByteDance

verl

affected

Version	Status	Constraints
`0.1`	affected	—
`0.2`	affected	—
`0.3`	affected	—
`0.4`	affected	—
`0.5`	affected	—
`0.6`	affected	—
`0.7.0`	affected	—

No data.

Vendor Product Confidence Versions

Bytedance

Verl

100%

Version	Status	Scheme	Platform
`0.1`	affected	generic	—
`0.2`	affected	generic	—
`0.3`	affected	generic	—
`0.4`	affected	generic	—
`0.5`	affected	generic	—
`0.6`	affected	generic	—
`0.7.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ByteDance verl to a version newer than 0.7.0 when available
Restrict the environment to run verl with minimal permissions and apply a hard‑coded sandbox to enforce least privilege
Implement network access controls to limit exposure of the vulnerable API endpoint
Monitor logs for anomalous calls to prime_math/grader.py

Generated by OpenCVE AI on April 28, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-h57c-v2v3-5v3v	verl's math_equal() Vulnerable to Arbitrary Code Execution via Unsafe eval()

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/zast-ai/vulnerability-reports/blob/main/bytedance/verl_rce.md
https://vuldb.com/submit/795257
https://vuldb.com/vuln/359040
https://vuldb.com/vuln/359040/cti

History

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bytedance Bytedance verl
Vendors & Products		Bytedance Bytedance verl

Thu, 23 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in ByteDance verl up to 0.7.0. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		ByteDance verl grader.py math_equal sandbox
Weaknesses		CWE-264 CWE-265
References		https://github.com/zast-ai/vulnerability-reports/blob/main/bytedance/verl_rce.md https://vuldb.com/submit/795257 https://vuldb.com/vuln/359040 https://vuldb.com/vuln/359040/cti
Metrics		cvssV2_0 `{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Bytedance Verl

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-23T00:00:20.300Z

Updated: 2026-04-23T12:49:00.762Z

Reserved: 2026-04-22T18:22:59.992Z

Link: CVE-2026-6878

Vulnrichment

Updated: 2026-04-23T12:48:55.475Z

NVD

Status : Deferred

Published: 2026-04-23T00:16:47.233

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6878

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object