NVIDIA FLARE Alert: Critical SDK Vulnerabilities Open Doors to Full System Takeover

NVIDIA has issued an urgent software update for the NVIDIA FLARE SDK, addressing multiple security vulnerabilities that could allow attackers to bypass authentication, execute malicious code, and tamper with sensitive data. The most severe of these flaws carries a CVSS score of 9.8, marking it as a critical threat to Linux and MacOS systems running the federated learning framework.

Developers and data scientists are strongly encouraged to “clone or update this software to NVIDIA FLARE SDK v2.7.2 or later” to protect their environments from potential exploitation.

CVE-2026-24178 is a critical vulnerability found within the NVFlare Dashboard. The flaw exists in the user management and authentication system, where an unauthenticated attacker can manipulate a “user-controlled key” to circumvent security protocols.

According to the security bulletin: “A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code execution, and denial of service”.

Because this attack requires no prior privileges and no user interaction, it represents a “worst-case scenario” for servers hosting the dashboard.

Beyond the dashboard, the SDK itself contains two other significant vulnerabilities that target the way the system processes data:

• Code Execution via FOBS (CVE-2026-24186): Rated with a High severity score of 8.8, this vulnerability involves the deserialization of untrusted data. An attacker can send a “malicious FOBS-encoded message” to trigger code execution on the host system.
• Information Disclosure (CVE-2026-24204): This Medium severity flaw allows for “improper input validation by path traversing”. If exploited, an attacker could gain unauthorized access to sensitive files and information.

The vulnerabilities affect all versions of the NVIDIA FLARE SDK prior to 2.7.2 on both Linux and MacOS platforms.

To secure your federated learning infrastructure, NVIDIA recommends an immediate transition to the latest stable release (v2.7.2 or later). Updates are available via the NVIDIA/NVFlare repository on GitHub.