Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-31220: PySyft: Remote Code Execution via User-Submitted Code
CVE-2026-31220
GHSA-cfpg-c974-jfhq
Summary
PySyft versions 0.9.5 and earlier allow attackers to run malicious code on the server, potentially taking control of the server environment. This is a serious risk because it could allow an attacker to access sensitive data or disrupt your operations. To protect yourself, update to the latest version of PySyft.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | syft | <= 0.9.5 |
Original title
PySyft server-side arbitrary Python execution after code approval
Original description
PySyft (Syft Datasite/Server) versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions (via @sy.syft_function()) for remote execution on the server. While a code approval mechanism exists, the submitted code undergoes no security checks for dangerous operations (e.g., file access, command execution). Once approved, the code is executed within the server process using exec() and eval() functions without proper isolation. A remote attacker can leverage this to execute arbitrary Python code on the server, leading to complete compromise of the server environment.
Vulnerability type
CWE-94
Code Injection
Published: 12 May 2026 · Updated: 28 May 2026 · First seen: 12 May 2026