CVE-2026-4851
Published: 29 March 2026
Summary
CVE-2026-4851 is a critical-severity Eval Injection (CWE-95) vulnerability in Casiano Grid\. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs from remote hosts in the RPC protocol to block malicious Perl code embedded in deserialization payloads before execution via eval().
Mandates identification, reporting, and remediation of flaws like the unsafe deserialization in GRID::Machine, including patches or workarounds when available.
Enforces risk assessment and restrictions on connecting to external remote hosts with GRID::Machine, ensuring only trusted and secure systems are used to mitigate exploitation from compromised hosts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization + eval in RPC client response directly enables client-side RCE (T1203) and Unix shell command execution via system() calls (T1059.004).
NVD Description
GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host…
more
can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol. read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval() $arg .= '$VAR1'; my $val = eval "no strict; $arg"; # line 40-41 $arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response: $VAR1 = do { system("..."); }; This executes on the client silently on every RPC call, as the return values remain correct. This functionality is by design but the trust requirement for the remote host is not documented in the distribution.
Deeper analysisAI
CVE-2026-4851 is an arbitrary code execution vulnerability affecting GRID::Machine versions through 0.127, a Perl module that enables Remote Procedure Calls (RPC) over SSH. The client connects to remote hosts to execute code, but unsafe deserialization in the RPC protocol allows a compromised or malicious remote host to execute arbitrary code on the client. Specifically, the read_operation() function in lib/GRID/Machine/Message.pm deserializes values from the remote side using an eval() on raw bytes received via the protocol pipe, such as $arg .= '$VAR1'; my $val = eval "no strict; $arg";. A malicious remote host can embed arbitrary Perl code in a Dumper-formatted response, for example $VAR1 = do { system("..."); }, which executes silently on the client during every RPC call while preserving correct return values. The vulnerability is scored at CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-502 (Deserialization of Untrusted Data).
An attacker who controls or compromises a remote host targeted by the GRID::Machine client can exploit this vulnerability over the network with low complexity and no privileges or user interaction required. When the client initiates an RPC call via SSH, the remote host responds with a crafted message that triggers code execution on the client machine through the unsafe eval(). This allows the attacker to achieve full confidentiality, integrity, and availability impacts, such as running system commands, stealing data, or installing malware on the client system hosting the Perl application.
The vulnerability disclosure appears on the oss-security mailing list at https://www.openwall.com/lists/oss-security/2026/03/26/6. The functionality is by design but relies on an undocumented trust requirement for remote hosts, implying that mitigation involves ensuring only trusted, secure remote hosts are used with GRID::Machine and avoiding connections to potentially compromised servers. No patches or version updates are mentioned in the provided details.
Details
- CWE(s)