Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-31234: Horovod 0.28.1 KVStore HTTP Server Allows Remote Code Execution
CVE-2026-31234
GHSA-mf8f-x4r3-jm8c
Summary
Horovod's distributed task coordination system has a security flaw that lets attackers run code on your computers. This happens because the system doesn't check who is sending data, and it can execute code sent by an attacker. You should update Horovod to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | horovod | <= 0.28.1 |
Original title
Horovod contains an insecure deserialization vulnerability in its KVStore HTTP server component
Original description
Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.
Vulnerability type
CWE-502
Deserialization of Untrusted Data
Published: 12 May 2026 · Updated: 30 May 2026 · First seen: 13 May 2026