CVE-2026-44484
Published: 14 May 2026
Summary
CVE-2026-44484 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability in Lightningai Pytorch Lightning. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30303
Vulnerability details
PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harvesting mechanism.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Deep Learning Frameworks
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, deep learning, pytorch
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Embedded malicious code (CWE-506) implements credential harvesting, directly enabling T1552 (Unsecured Credentials) and T1555 (Credentials from Password Stores).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Restricting software to licensed versions and controlling P2P prevents introduction of software containing embedded malicious code from unauthorized sources.
Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.
Regular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for.
The approval and review process for maintenance tools can prevent introduction or continued use of tools containing embedded malicious code.
Supply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators.
Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.
The control mandates vetting suppliers and tamper detection, making it harder for malicious code to be embedded by upstream providers.
Directly reduces risk of embedded malicious code by requiring verification that acquired or developed components perform only as specified without hidden malicious behavior.