CVE-2026-24178
Published: 28 April 2026
Summary
CVE-2026-24178 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Nvidia Nvflare. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the authorization bypass vulnerability by enforcing approved authorizations in the NVFlare Dashboard's user management system.
Prevents exploitation of the user-controlled key through validation of information inputs to the authentication system.
Mitigates the specific flaw in NVFlare Dashboard by requiring timely remediation of identified vulnerabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Critical authorization bypass in public-facing NVFlare Dashboard enables unauthenticated remote exploitation (T1190) leading to privilege escalation (T1068).
NVD Description
NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code…
more
execution, and denial of service.
Deeper analysisAI
CVE-2026-24178 is a critical authorization bypass vulnerability (CWE-639) in the user management and authentication system of the NVIDIA NVFlare Dashboard. Published on 2026-04-28, it enables an unauthenticated attacker to exploit a user-controlled key, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw affects the NVFlare Dashboard component, part of NVIDIA's federated learning platform.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation may result in privilege escalation, data tampering, information disclosure, arbitrary code execution, and denial of service, potentially compromising the entire NVFlare environment.
Mitigation details are available in official advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5819, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-24178, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2026-24178. Security practitioners should consult these for patching instructions and workarounds.
Details
- CWE(s)