CVE-2026-26220
Received Received - Intake
Unauthenticated Remote Code Execution in LightLLM PD Master Node

Publication date: 2026-02-17

Last updated on: 2026-02-17

Assigner: VulnCheck

Description
LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achieve arbitrary code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-17
Last Modified
2026-02-17
Generated
2026-05-07
AI Q&A
2026-02-17
EPSS Evaluated
2026-05-05
NVD
CVE-2026-26220
EUVD
EUVD-2026-7823
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
modeltc lightllm to 1.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-26220 is a critical unauthenticated remote code execution (RCE) vulnerability in LightLLM versions 1.1.0 and earlier, specifically in the PD (prefill-decode) disaggregation mode.'}, {'type': 'paragraph', 'content': "The PD master node exposes WebSocket endpoints that receive binary frames and directly pass the data to Python's pickle.loads() function without any authentication or validation."}, {'type': 'paragraph', 'content': 'Because pickle.loads() deserializes data in a way that can execute arbitrary code, a remote attacker who can connect to these WebSocket endpoints can send a crafted payload that triggers arbitrary code execution on the server.'}, {'type': 'paragraph', 'content': 'The vulnerable endpoints include `/pd_register` and `/kv_move_status`, which are network-exposed by design and do not require authentication, allowing any network attacker to exploit this flaw.'}] [2, 3, 5]


How can this vulnerability impact me? :

This vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the LightLLM PD master node.

The attacker can run any system commands with the privileges of the LightLLM server process, potentially leading to full system compromise.

  • Complete takeover of the server hosting LightLLM.
  • Access to sensitive data processed or stored by the server.
  • Disruption of service or denial of service by executing destructive commands.
  • Potential lateral movement within the network if the server is part of a larger infrastructure.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying if a LightLLM PD master node is running and exposing the vulnerable WebSocket endpoints `/pd_register` and `/kv_move_status` on a network-accessible IP address.

Since the vulnerability involves unauthenticated WebSocket endpoints that accept binary frames deserialized with pickle.loads(), detection can involve scanning for open WebSocket ports and attempting to connect to these endpoints.

  • Use network scanning tools like nmap to detect open ports where LightLLM PD master might be listening.
  • Example nmap command to scan for open WebSocket ports (replace <target_ip> and <port>): nmap -p <port> --script http-websocket <target_ip>
  • Use WebSocket client tools (e.g., websocat or wscat) to connect to the endpoints `/pd_register` and `/kv_move_status` and observe if the server accepts connections without authentication.
  • Example command using websocat: websocat ws://<target_ip>:<port>/pd_register

If the connection is accepted and binary frames can be sent without authentication, the system is likely vulnerable.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include preventing unauthenticated access to the vulnerable WebSocket endpoints exposed by the LightLLM PD master node.

  • Restrict network access to the PD master node by firewall rules or network segmentation to block unauthorized hosts from connecting to the WebSocket endpoints.
  • If possible, disable or avoid running LightLLM in PD disaggregation mode until a patch or fix is applied.
  • Implement authentication mechanisms on the WebSocket endpoints, such as token-based authentication, TLS client certificates, or shared secrets, to prevent unauthorized connections.
  • Replace the unsafe use of pickle.loads() with safer serialization formats like JSON or MessagePack for WebSocket communication.
  • If pickle deserialization must be used, employ a restricted unpickler with an explicit allowlist of safe classes and implement message signing (e.g., HMAC) to verify integrity and authenticity.

These mitigations reduce the risk of remote code execution by limiting or securing access to the vulnerable deserialization functionality.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart