CVE-2026-25873
Received Received - Intake
Unauthenticated Remote Code Execution via Insecure Deserialization in OmniGen2-RL Reward Server

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: VulnCheck

Description
OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary commands by sending malicious HTTP POST requests. Attackers can exploit insecure pickle deserialization of request bodies to achieve code execution on the host system running the exposed service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25873
EUVD
EUVD-2026-12954
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vectorspacelab omnigen2 From 3.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25873 is a critical remote code execution vulnerability in the OmniGen2-RL reward server component. It arises from unsafe deserialization of untrusted data using Python's pickle module in HTTP POST request bodies. Because the server deserializes these requests without authentication or validation, an attacker can send maliciously crafted pickle payloads that execute arbitrary commands on the host system running the exposed service."}, {'type': 'paragraph', 'content': 'This vulnerability is due to the insecure use of pickle.loads() on untrusted input, classified under CWE-502 (Deserialization of Untrusted Data). The affected servers bind to all network interfaces by default, exposing them broadly. The vulnerability allows unauthenticated remote attackers to execute code with potentially root privileges, impacting confidentiality, integrity, and availability.'}] [1, 6]

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on the affected server. An attacker can run arbitrary system commands, potentially gaining root-level access inside the server environment.

Because the reward server and its proxy bind to all network interfaces without authentication, attackers can exploit this vulnerability remotely over the network. This can lead to full compromise of the server, allowing attackers to manipulate or disrupt the reward evaluation process, access sensitive data, or use the server as a foothold for further attacks.

Additionally, the client-side components that deserialize server responses using pickle are also at risk, creating a bidirectional attack surface where a compromised server can execute code on training clients.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for suspicious HTTP POST requests sent to the OmniGen2-RL reward server component, especially those containing serialized Python pickle data. Since the vulnerability involves unsafe deserialization of untrusted data via pickle.loads(), detection can focus on identifying unexpected or malicious pickle payloads in POST requests.'}, {'type': 'paragraph', 'content': 'Additionally, checking if the reward server or proxy server is listening on network interfaces (commonly ports 23456 for the proxy and 18888+ for backend workers) bound to 0.0.0.0 (all interfaces) can indicate exposure to unauthenticated remote attacks.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability or suspicious activity include:'}, {'type': 'list_item', 'content': "Use netstat or ss to check open ports and listening addresses: `netstat -tulnp | grep -E '23456|18888'` or `ss -tulnp | grep -E '23456|18888'`"}, {'type': 'list_item', 'content': 'Capture and inspect HTTP POST traffic to the reward server ports using tcpdump or tshark: `tcpdump -i any tcp port 23456 -w capture.pcap` and then analyze with Wireshark for suspicious pickle payloads.'}, {'type': 'list_item', 'content': 'Search server logs for unexpected or malformed POST requests, or for evidence of deserialization errors or execution of unexpected commands.'}, {'type': 'list_item', 'content': 'If you have access to the server, check the source code for usage of `pickle.loads()` on HTTP POST data, especially in `reward_proxy.py` and `reward_server.py` files at lines 118, 208, and 224.'}] [1, 6]

Mitigation Strategies

Immediate mitigation steps include preventing unauthenticated and unsafe deserialization of untrusted data by the reward server and proxy components.

Specifically:

  • Restrict network exposure by binding the reward server and proxy server to localhost or internal trusted interfaces instead of 0.0.0.0, and use firewall rules to limit access.
  • Implement authentication mechanisms such as requiring a shared secret in an Authorization header to prevent unauthorized access.
  • Replace unsafe Python pickle deserialization (`pickle.loads()`) with safe serialization methods such as JSON combined with base64 encoding, as demonstrated in the patch that introduces a `safe_serialization.py` module.
  • Apply the official patch (pull request #139) that removes all instances of `pickle.loads()` and `pickle.dumps()` in `reward_proxy.py` and `reward_server.py` and replaces them with safe serialization.
  • Monitor for suspicious activity and consider temporarily disabling the vulnerable service until a patch is applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart