Platform
python
Component
fedml
Fixed in
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
CVE-2026-5536 describes an insecure deserialization vulnerability affecting FedML versions 0.8.0 through 0.8.9. This flaw resides within the sendMessage function of the grpc_server.py file, allowing a remote attacker to potentially execute arbitrary code. The vulnerability was disclosed on 2026-04-05, and a fix is pending from the vendor.
The insecure deserialization vulnerability in FedML allows a remote attacker to craft malicious data that, when deserialized by the sendMessage function, can lead to arbitrary code execution on the server. This could grant the attacker complete control over the affected system, enabling them to steal sensitive data, install malware, or disrupt operations. The ability to trigger deserialization remotely significantly broadens the attack surface, making this a high-impact vulnerability. Successful exploitation could compromise the integrity and confidentiality of data processed by FedML.
This vulnerability is currently publicly known, with the CVE published on 2026-04-05. The lack of vendor response raises concerns about the timeliness of a patch. While no public proof-of-concept (PoC) has been identified, the nature of insecure deserialization vulnerabilities makes them attractive targets for exploitation. The vulnerability's remote accessibility increases the likelihood of exploitation attempts. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
Due to the lack of a vendor-provided patch, immediate mitigation strategies are crucial. Implement strict input validation on all data received by the sendMessage function, specifically focusing on preventing the deserialization of untrusted data. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests. Monitor network traffic for unusual patterns indicative of deserialization attempts. If possible, isolate the FedML service from critical systems to limit the blast radius of a potential attack. Regularly review and update the FedML configuration to minimize the attack surface. After a patch is released, upgrade to the fixed version and confirm by verifying that the sendMessage function no longer accepts untrusted serialized data.
Update to a FedML version later than 0.8.9 to mitigate the deserialization vulnerability in the gRPC server. Review the code to identify and remove any insecure deserialization. Implement robust input validation to prevent the injection of malicious data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5536 is a HIGH severity vulnerability in FedML versions 0.8.0 through 0.8.9, allowing remote attackers to potentially execute code through insecure deserialization in the grpc_server.py file.
If you are using FedML versions 0.8.0 to 0.8.9, you are potentially affected by this vulnerability. Immediate mitigation steps are recommended.
A vendor patch is pending. Until then, implement strict input validation, consider a WAF, and monitor network traffic. Upgrade to the patched version as soon as it's released.
While no active exploitation has been confirmed, the vulnerability's nature and remote accessibility make it a potential target for attackers.
Check the FedML project's official website and security mailing lists for updates and advisories regarding CVE-2026-5536.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.