CVE-2026-14621
Received Received - Intake

Exposure of Data Element to Wrong Session in FederatedAI FATE

Vulnerability report for CVE-2026-14621, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A vulnerability has been found in FederatedAI FATE up to 2.2.0. This affects the function QueuePushReqStreamObserver.initEggroll of the file java/osx/osx-broker/src/main/java/org/fedai/osx/broker/grpc/QueuePushReqStreamObserver.java of the component OSX Broker. Such manipulation of the argument rollSiteSessionId/dstRole/dstPartyId leads to exposure of data element to wrong session. The attack can be executed remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
federatedai fate to 2.2.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-488 The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in FederatedAI FATE up to version 2.2.0 affects the OSX Broker component, specifically the QueuePushReqStreamObserver.initEggroll function. It arises from improper session management where the session key is constructed only from rollSiteSessionId, dstRole, and dstPartyId, without considering other important security attributes like tenant, user, or job ID.

An attacker can manipulate these session key components to cause two distinct security contexts to share the same Eggroll session. This session confusion allows exposure of data elements to the wrong session, potentially leading to unauthorized access or data leakage.

The attack can be executed remotely but has a high complexity level, making exploitation difficult. A fix has been proposed to scope sessions by RollSite context and task ID to ensure proper session isolation.

Impact Analysis

This vulnerability can lead to unauthorized access or data leakage by exposing data elements to incorrect sessions. Because the session management does not properly verify session ownership or bind sessions to the request owner, an attacker could access data belonging to other tenants, users, or jobs.

Such unauthorized data exposure can compromise confidentiality within federated learning environments, potentially affecting the integrity of collaborative data processing and privacy guarantees.

Detection Guidance

This vulnerability involves session confusion due to manipulation of the rollSiteSessionId, dstRole, and dstPartyId fields leading to session reuse between distinct security contexts.

Detection can involve monitoring for unusual or suspicious RollSiteHeader values that cause session key collisions or unexpected session reuse in the OSX Broker component.

Since the vulnerability is related to the reuse of backend sessions identified by these fields, network or system detection could include capturing and analyzing gRPC traffic to the OSX Broker for repeated or conflicting session identifiers.

  • Use packet capture tools (e.g., tcpdump or Wireshark) to monitor gRPC traffic on the OSX Broker ports.
  • Filter captured traffic for RollSiteHeader fields rollSiteSessionId, dstRole, and dstPartyId to identify repeated or conflicting session keys.
  • Example tcpdump command to capture traffic on port 50051 (default gRPC port, adjust as needed): tcpdump -i any port 50051 -w capture.pcap
  • Analyze the capture with Wireshark or tshark to extract and inspect RollSiteHeader fields for anomalies.

No specific detection commands or tools are provided in the available resources, so detection relies on custom traffic inspection and correlation of session identifiers.

Mitigation Strategies

Immediate mitigation steps include restricting access to the OSX Broker component to trusted parties only, as the attack can be executed remotely but has high complexity.

Since the vulnerability arises from improper session reuse checks, monitoring and limiting the ability to send manipulated RollSiteHeader values can reduce risk.

Applying the official fix from the pending pull request is the definitive mitigation. This fix scopes the ErSession cache by RollSite context and task ID and validates inbound source party against route information and remote peer IP, preventing session confusion.

  • Review and apply the patch from pull request #5792 once it is accepted and tested.
  • Restrict network access to the OSX Broker service to trusted hosts and networks.
  • Monitor logs for suspicious session reuse or unauthorized access attempts.

Until the patch is applied, consider implementing additional application-level checks or network-level filtering to prevent malicious session key manipulation.

Compliance Impact

The vulnerability in FederatedAI FATE allows exposure of data elements to the wrong session due to session confusion and improper session reuse checks. This can lead to unauthorized access or data leakage between distinct security contexts such as different tenants, users, or jobs.

Such unauthorized data exposure and leakage can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on data access and confidentiality to protect personal and sensitive information.

Because the vulnerability enables data to be accessed by incorrect sessions, it undermines the security and privacy guarantees necessary for regulatory compliance, potentially leading to violations of these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14621. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart