ByteOS Network

NVD Vulnerability Details :

CVE-2026-31234

Deferred

Source-cve@mitre.org

Published At-12 May, 2026 | 18:16

Updated At-14 May, 2026 | 20:17

Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CWE ID	Type	Source
CWE-502	Secondary	134c704f-9b21-4f2e-91b3-4a467353bcc0

CWE ID: CWE-502

Type: Secondary

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

References

Hyperlink	Source	Resource
https://github.com/horovod/horovod	cve@mitre.org	N/A
https://www.notion.so/CVE-2026-31234-35d1e139318881d585cde508b9d2453c	cve@mitre.org	N/A

Hyperlink: https://github.com/horovod/horovod

Source: cve@mitre.org

Resource: N/A

Hyperlink: https://www.notion.so/CVE-2026-31234-35d1e139318881d585cde508b9d2453c

Source: cve@mitre.org

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History