CVE-2026-24186

HighRCE

Published: 28 April 2026

Published

28 April 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24186 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Nvidia Nvflare. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents exploitation by validating and sanitizing FOBS-encoded messages to block deserialization of untrusted data.

SI-2 Flaw Remediation good match

prevent

Remediates the root deserialization flaw in the NVIDIA FLARE SDK FOBS component through timely identification, reporting, and patching.

SI-16 Memory Protection good match

prevent

Mitigates arbitrary code execution from deserialization exploits via memory protection mechanisms such as DEP and ASLR.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Deserialization of untrusted data (CWE-502) over a network-accessible interface directly enables remote arbitrary code execution in the FLARE FOBS component, mapping to exploitation of a public-facing application (T1190) followed by Python-based command execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A successful exploit of this vulnerability might lead to code execution.

Deeper analysisAI

CVE-2026-24186 is a vulnerability in the NVIDIA FLARE SDK, specifically within its FOBS component, that enables deserialization of untrusted data. An attacker can trigger this by sending a malicious FOBS-encoded message, potentially leading to arbitrary code execution. The issue is classified under CWE-502 (Deserialization of Untrusted Data) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.

Exploitation requires low privileges (PR:L) and can be performed over the network (AV:N) with low attack complexity and no user interaction. A successful attack allows the adversary to achieve code execution on the targeted system, compromising high levels of confidentiality, integrity, and availability without changing scope.

Mitigation details are available in published advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5819, as well as NVD entry https://nvd.nist.gov/vuln/detail/CVE-2026-24186 and CVE record https://www.cve.org/CVERecord?id=CVE-2026-24186. The vulnerability was published on 2026-04-28.

Details

CWE(s): CWE-502

Affected Products

nvidia

nvflare

≤ 2.7.2

CVEs Like This One

CVE-2026-24178Same product: Apple Macos

CVE-2025-23303Same product: Apple Macos

CVE-2025-23304Same product: Apple Macos

CVE-2026-27303Same product: Apple Macos

CVE-2026-34615Same product: Apple Macos

CVE-2025-27779Shared CWE-502

CVE-2025-24016Shared CWE-502

CVE-2026-24164Same vendor: Nvidia

CVE-2024-9701Shared CWE-502

CVE-2025-2000Shared CWE-502

References

https://nvd.nist.gov/vuln/detail/CVE-2026-24186
US Government Resource · psirt@nvidia.com
https://nvidia.custhelp.com/app/answers/detail/a_id/5819
Vendor Advisory · psirt@nvidia.com
https://www.cve.org/CVERecord?id=CVE-2026-24186
Third Party Advisory · psirt@nvidia.com