CVE-2026-24178:

CVE-2026-24178 is a critical authorization bypass vulnerability in NVIDIA NVFlare Dashboard's user management and authentication system, exploitable by unauthenticated remote attackers via user-controlled key manipulation.

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:Apr 28, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Overview

NVIDIA NVFlare Dashboard contains a critical vulnerability (CVE-2026-24178) in its user management and authentication system. The flaw, classified as CWE-639 (Authorization Bypass Through User-Controlled Key), allows an unauthenticated remote attacker to bypass authorization controls by manipulating a user-controlled key. No privileges or user interaction are required to exploit this vulnerability. A successful attack can lead to privilege escalation, data tampering, information disclosure, code execution, and denial of service. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating the highest level of severity across all impact categories.

Remediation

NVIDIA has published a security advisory addressing CVE-2026-24178. Users and administrators of NVIDIA NVFlare Dashboard are strongly advised to review the official NVIDIA security bulletin (Answer ID 5819) available through NVIDIA's customer help portal for specific patch information, updated software versions, and mitigation guidance. It is recommended to apply all available patches or updates provided by NVIDIA as soon as possible. Additionally, restricting network access to the NVFlare Dashboard to trusted users and networks can serve as a temporary mitigation measure until patching is completed.