Cyber Resilience

CVE-2026-44484

CriticalRCEUpdated

Published: 14 May 2026

Published
14 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 31.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-44484 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability in Lightningai Pytorch Lightning. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harvesting mechanism.

CWE(s)

AI Security AnalysisAI

AI Category
Deep Learning Frameworks
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, deep learning, pytorch

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1555 Credentials from Password Stores Credential Access
Adversaries may search for common password storage locations to obtain user credentials.
Why these techniques?

Embedded malicious code (CWE-506) implements credential harvesting, directly enabling T1552 (Unsecured Credentials) and T1555 (Credentials from Password Stores).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

lightningai
pytorch lightning
2.6.2, 2.6.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-506 CWE-829

Restricting software to licensed versions and controlling P2P prevents introduction of software containing embedded malicious code from unauthorized sources.

addresses: CWE-829 CWE-506

Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.

addresses: CWE-506 CWE-829

Regular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for.

addresses: CWE-506 CWE-829

The approval and review process for maintenance tools can prevent introduction or continued use of tools containing embedded malicious code.

addresses: CWE-506 CWE-829

Supply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators.

addresses: CWE-829 CWE-506

Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.

addresses: CWE-506 CWE-829

The control mandates vetting suppliers and tamper detection, making it harder for malicious code to be embedded by upstream providers.

addresses: CWE-506 CWE-829

Directly reduces risk of embedded malicious code by requiring verification that acquired or developed components perform only as specified without hidden malicious behavior.

References