CVE-2026-5535
Published: 05 April 2026
Summary
CVE-2026-5535 is a low-severity Path Traversal (CWE-22) vulnerability in Tensoropera Fedml. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Data-Related Vulnerabilities risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19017
Vulnerability details
A security flaw has been discovered in FedML-AI FedML up to 0.8.9. This impacts an unknown function of the file FileUtils.java of the component MQTT Message Handler. Performing a manipulation of the argument dataSet results in path traversal. The attack…
more
is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote path traversal (CWE-22) in a message handler component directly enables exploitation of a public-facing or remotely accessible application.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.