CVE-2026-25873

CriticalPublic PoC

Published: 18 March 2026

Published

18 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary commands by sending malicious HTTP POST requests. Attackers can exploit insecure pickle deserialization of request bodies to achieve code execution…

on the host system running the exposed service.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the insecure pickle deserialization vulnerability by requiring validation of untrusted HTTP POST request bodies to block malicious payloads.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific deserialization flaw in the reward server component, eliminating the RCE vulnerability.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users, preventing unauthenticated remote attackers from sending exploitable POST requests to the reward server.

Security SummaryAI

CVE-2026-25873 is an unauthenticated remote code execution vulnerability in the reward server component of OmniGen2-RL. The flaw arises from insecure pickle deserialization of HTTP POST request bodies, enabling remote attackers to execute arbitrary commands on the host system running the exposed service. Published on 2026-03-18, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-502 (Deserialization of Untrusted Data).

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction by sending crafted malicious HTTP POST requests to the reward server. Exploitation leads to arbitrary code execution on the host, with high impacts on confidentiality, integrity, and availability, potentially allowing full system compromise.

References point to an arXiv paper (https://arxiv.org/abs/2506.18871), a detailed blog post on the OmniGen2 pickle RCE (https://chocapikk.com/posts/2026/omnigen2-pickle-rce/), and specific GitHub code locations in the OmniGen2-RL repository, including reward_proxy.py lines 208 and 224, and reward_server.py line 118, which highlight the vulnerable deserialization logic. No vendor patches or formal mitigation advisories are detailed in the provided references.

Details

CWE(s): CWE-502

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-25873 enables unauthenticated remote code execution by exploiting insecure pickle deserialization in a public-facing HTTP reward server, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://arxiv.org/abs/2506.18871
disclosure@vulncheck.com
https://chocapikk.com/posts/2026/omnigen2-pickle-rce/
disclosure@vulncheck.com
https://github.com/VectorSpaceLab/OmniGen2/blob/3a13017e532f9f309a38bca571fd62200a6415c5/OmniGen2-RL/reward_server/reward_proxy.py#L208
disclosure@vulncheck.com
https://github.com/VectorSpaceLab/OmniGen2/blob/3a13017e532f9f309a38bca571fd62200a6415c5/OmniGen2-RL/reward_server/reward_proxy.py#L224
disclosure@vulncheck.com
https://github.com/VectorSpaceLab/OmniGen2/blob/3a13017e532f9f309a38bca571fd62200a6415c5/OmniGen2-RL/reward_server/reward_server.py#L118
disclosure@vulncheck.com
https://github.com/VectorSpaceLab/OmniGen2/pull/139
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/omnigen2-rl-reward-server-unsafe-deserialization-rce
disclosure@vulncheck.com