CVE-2026-31234CRITICAL 9.8EPSS p47.8%

CVE-2026-31234CVE-2026-31234

Description

Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.69% probability of exploitation · percentile 47.8% · 2026-06-19T12:03:05Z
Published2026-05-12
Last modified2026-05-14

Underlying weaknesses· 1

CWE-502

References

  1. https://github.com/horovod/horovod
  2. https://www.notion.so/CVE-2026-31234-35d1e139318881d585cde508b9d2453c

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-6544
CVE
CVE-2025-6507
CVE
CVE-2026-31229
CVE
CVE-2026-26210
CVE
CVE-2026-3960
CVE
CVE-2026-35337
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.