CVE-2026-24178

Critical

Published: 28 April 2026

Published

28 April 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code…

execution, and denial of service.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly addresses the authorization bypass vulnerability by enforcing approved authorizations in the NVFlare Dashboard's user management system.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the user-controlled key through validation of information inputs to the authentication system.

SI-2 Flaw Remediation good match

prevent

Mitigates the specific flaw in NVFlare Dashboard by requiring timely remediation of identified vulnerabilities.

Security SummaryAI

CVE-2026-24178 is a critical authorization bypass vulnerability (CWE-639) in the user management and authentication system of the NVIDIA NVFlare Dashboard. Published on 2026-04-28, it enables an unauthenticated attacker to exploit a user-controlled key, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw affects the NVFlare Dashboard component, part of NVIDIA's federated learning platform.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation may result in privilege escalation, data tampering, information disclosure, arbitrary code execution, and denial of service, potentially compromising the entire NVFlare environment.

Mitigation details are available in official advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5819, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-24178, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2026-24178. Security practitioners should consult these for patching instructions and workarounds.

Details

CWE(s): CWE-639

Affected Products

nvidia

nvflare

≤ 2.7.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Critical authorization bypass in public-facing NVFlare Dashboard enables unauthenticated remote exploitation (T1190) leading to privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://nvd.nist.gov/vuln/detail/CVE-2026-24178
US Government Resource · psirt@nvidia.com
https://nvidia.custhelp.com/app/answers/detail/a_id/5819
Vendor Advisory · psirt@nvidia.com
https://www.cve.org/CVERecord?id=CVE-2026-24178
Third Party Advisory · psirt@nvidia.com