Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26220 is a critical unauthenticated remote code execution (RCE) vulnerability in LightLLM versions 1.1.0 and earlier, specifically in the PD (prefill-decode) disaggregation mode.'}, {'type': 'paragraph', 'content': "The PD master node exposes WebSocket endpoints that receive binary frames and directly pass the data to Python's pickle.loads() function without any authentication or validation."}, {'type': 'paragraph', 'content': 'Because pickle.loads() deserializes data in a way that can execute arbitrary code, a remote attacker who can connect to these WebSocket endpoints can send a crafted payload that triggers arbitrary code execution on the server.'}, {'type': 'paragraph', 'content': 'The vulnerable endpoints include `/pd_register` and `/kv_move_status`, which are network-exposed by design and do not require authentication, allowing any network attacker to exploit this flaw.'}] [2, 3, 5]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the LightLLM PD master node.

The attacker can run any system commands with the privileges of the LightLLM server process, potentially leading to full system compromise.

• Complete takeover of the server hosting LightLLM.
• Access to sensitive data processed or stored by the server.
• Disruption of service or denial of service by executing destructive commands.
• Potential lateral movement within the network if the server is part of a larger infrastructure.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if a LightLLM PD master node is running and exposing the vulnerable WebSocket endpoints `/pd_register` and `/kv_move_status` on a network-accessible IP address.

Since the vulnerability involves unauthenticated WebSocket endpoints that accept binary frames deserialized with pickle.loads(), detection can involve scanning for open WebSocket ports and attempting to connect to these endpoints.

• Use network scanning tools like nmap to detect open ports where LightLLM PD master might be listening.
• Example nmap command to scan for open WebSocket ports (replace <target_ip> and <port>): nmap -p <port> --script http-websocket <target_ip>
• Use WebSocket client tools (e.g., websocat or wscat) to connect to the endpoints `/pd_register` and `/kv_move_status` and observe if the server accepts connections without authentication.
• Example command using websocat: websocat ws://<target_ip>:<port>/pd_register

If the connection is accepted and binary frames can be sent without authentication, the system is likely vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include preventing unauthenticated access to the vulnerable WebSocket endpoints exposed by the LightLLM PD master node.

• Restrict network access to the PD master node by firewall rules or network segmentation to block unauthorized hosts from connecting to the WebSocket endpoints.
• If possible, disable or avoid running LightLLM in PD disaggregation mode until a patch or fix is applied.
• Implement authentication mechanisms on the WebSocket endpoints, such as token-based authentication, TLS client certificates, or shared secrets, to prevent unauthorized connections.
• Replace the unsafe use of pickle.loads() with safer serialization formats like JSON or MessagePack for WebSocket communication.
• If pickle deserialization must be used, employ a restricted unpickler with an explicit allowlist of safe classes and implement message signing (e.g., HMAC) to verify integrity and authenticity.

These mitigations reduce the risk of remote code execution by limiting or securing access to the vulnerable deserialization functionality.

Useful 0 Not Useful 0