0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
A Path Traversal vulnerability has been identified in FedML, affecting versions from 0.8.0 through 0.8.9. This flaw resides within the FileUtils.java component's MQTT Message Handler, allowing attackers to potentially access sensitive files outside of the intended directory. The vulnerability is remotely exploitable and a public proof-of-concept exists, making it a significant security concern. While the vendor has not responded to early disclosure attempts, mitigation strategies are available.
Successful exploitation of CVE-2026-5535 allows an attacker to read arbitrary files on the system hosting the FedML application. This could expose sensitive data such as configuration files, database credentials, or even source code. The remote nature of the vulnerability means an attacker does not need local access to the system to exploit it. Given the availability of a public exploit, the blast radius is significant, potentially impacting any deployment of the affected FedML versions. The lack of vendor response further exacerbates the risk, as no official patch is currently available.
CVE-2026-5535 has a public proof-of-concept available, indicating a high probability of exploitation. It was disclosed on 2026-04-05. The vulnerability is currently not listed on CISA KEV, but its public exploit and lack of vendor response warrant close monitoring. Active campaigns targeting this vulnerability are possible given the ease of exploitation.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
Due to the absence of a vendor-supplied patch, immediate mitigation focuses on limiting exposure and restricting access. Implement strict input validation on the dataSet argument within the MQTT Message Handler to prevent path traversal attempts. Consider using a Web Application Firewall (WAF) with rules to block requests containing suspicious path characters (e.g., ../). Network segmentation can also limit the potential impact by isolating the FedML application from other critical systems. Regularly monitor system logs for unusual file access patterns. While a direct fix is unavailable, carefully review and restrict file permissions within the FedML installation directory.
Update to a patched version of FedML that addresses the path traversal vulnerability in MQTT message handling. Consult the vendor's documentation or changelogs for details on patched versions and upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5535 is a Path Traversal vulnerability affecting FedML versions 0.8.0–0.8.9. It allows attackers to potentially read arbitrary files on the system by manipulating input arguments.
If you are running FedML version 0.8.0 through 0.8.9, you are potentially affected by this vulnerability. Assess your environment and implement mitigation strategies immediately.
Currently, there is no official patch available. Implement mitigation strategies such as input validation, WAF rules, and network segmentation to reduce your risk.
A public proof-of-concept exists, indicating a high probability of exploitation. Monitor your systems closely and implement mitigation strategies proactively.
As of the disclosure date, FedML has not released an official advisory. Monitor the FedML website and security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.