CVE-2026-5536
Received Received - Intake
Deserialization Vulnerability in FedML gRPC Server Allows Remote Attack

Publication date: 2026-04-05

Last updated on: 2026-04-30

Assigner: VulDB

Description
A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpc_server.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5536
EUVD
EUVD-2026-19021
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tensoropera fedml to 0.8.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting network access to the vulnerable gRPC server ports (8890 and above) to trusted hosts only.

Since the gRPC server uses add_insecure_port() and does not enforce authentication, it is critical to implement network-level controls such as firewall rules to block unauthorized access.

If possible, disable or stop the Fedml gRPC server until a patched version or secure configuration is available.

Avoid exposing the gRPC server on 0.0.0.0 (all interfaces) and bind it only to localhost or internal trusted networks.

Executive Summary

CVE-2026-5536 is a Remote Code Execution (RCE) vulnerability in Fedml versions up to 0.8.9. It occurs because the gRPC server component of Fedml, specifically the sendMessage() function, unsafely deserializes incoming messages using Python's pickle.loads() without any validation or authentication.

The gRPC server listens on all network interfaces on insecure ports starting at 8890 and accepts connections without requiring authentication. An attacker can send a specially crafted malicious pickle payload to the sendMessage() RPC method, which is then deserialized unsafely, allowing the attacker to execute arbitrary code remotely on the affected system.

Impact Analysis

This vulnerability can have severe impacts as it allows an unauthenticated remote attacker to execute arbitrary code on the affected Fedml node. This means the attacker could potentially take full control of the system running Fedml, leading to data theft, system compromise, disruption of services, or further attacks within the network.

Detection Guidance

This vulnerability can be detected by identifying if the Fedml gRPC server is running and exposed on network interfaces, specifically listening on port 8890 or higher without authentication.

You can scan your network or system for open ports starting at 8890 to check if the vulnerable gRPC server is accessible.

  • Use nmap to scan for open ports: nmap -p 8890-8899 <target-ip>
  • Use netstat or ss to check listening ports on the local system: netstat -tuln | grep 8890 or ss -tuln | grep 8890

Additionally, monitoring network traffic for unauthenticated gRPC calls to the sendMessage() RPC method on these ports may help detect exploitation attempts.

Compliance Impact

The vulnerability allows unauthenticated remote code execution via unsafe deserialization in the FedML gRPC server. This security weakness could lead to unauthorized access and manipulation of data on affected systems.

Such unauthorized access and potential data compromise may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system access controls.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5536. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart