Cyber Resilience

CVE-2026-26210

CriticalPublic PoCRCE

Published: 23 April 2026

Published
23 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0070 48.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26210 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Kvcache-Ai Ktransformers. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26210 is an unsafe deserialization vulnerability (CWE-502) in KTransformers versions through 0.5.3. The issue resides in the balance_serve backend mode, where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces without authentication and deserializes incoming messages using the pickle.loads() function without any validation. Published on 2026-04-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Remote attackers require no privileges or user interaction to exploit the vulnerability over the network. By sending a crafted pickle payload to the exposed ZMQ socket, they can achieve arbitrary code execution on the server with the privileges of the ktransformers process, potentially leading to full compromise of the host.

Advisories and a patch are detailed in referenced sources, including a GitHub pull request at https://github.com/kvcache-ai/ktransformers/pull/1944, a technical post at https://chocapikk.com/posts/2026/ktransformers-pickle-rce/, and a VulnCheck advisory at https://www.vulncheck.com/advisories/ktransformers-unsafe-deserialization-rce-via-balance-serve.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send…

more

a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Unsafe pickle deserialization on unauthenticated, publicly bound ZMQ RPC socket directly enables remote arbitrary code execution (T1190 Exploit Public-Facing Application) via Python interpreter (T1059.006 Python).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-50460Shared CWE-502
CVE-2026-24186Shared CWE-502
CVE-2025-27780Shared CWE-502
CVE-2025-56005Shared CWE-502
CVE-2026-31234Shared CWE-502
CVE-2025-23045Shared CWE-502
CVE-2026-31072Shared CWE-502
CVE-2024-9701Shared CWE-502
CVE-2025-27781Shared CWE-502
CVE-2025-2000Shared CWE-502

Affected Assets

kvcache-ai
ktransformers
≤ 0.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of incoming messages to the ZMQ socket before deserialization, directly preventing execution of crafted pickle payloads.

prevent

Mandates identification, reporting, and correction of the unsafe deserialization flaw, enabling application of the available vendor patch.

prevent

Monitors and controls network communications at boundaries to block unauthorized access to the ZMQ ROUTER socket bound to all interfaces.

References