PySyft Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in PySyft (Syft Datasite/Server) versions 0.9.5 and earlier. This issue arises from inadequate validation and sandboxing of user-submitted code, allowing low-privileged users to send Python functions for remote execution on the server. Although there is a code approval process, submitted code is not subjected to security checks for potentially harmful operations, such as file access or command execution. Once approved, the code is executed within the server process using 'exec()' and 'eval()' without proper isolation. This vulnerability enables remote attackers to execute arbitrary Python code on the server, potentially leading to a complete compromise of the server environment.

Impact

Exploitation of this vulnerability allows for arbitrary Python code execution on the server, with the potential for complete compromise of the server environment.

Added: May 12, 2026, 4:28 PM

Updated: May 12, 2026, 4:28 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.3

remediation

0.0

relevance

8.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.3

remediation

0.0

relevance

8.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PySyft Remote Code Execution Vulnerability

Vulnerability

Impact

Affected Products

OpenMined PySyft

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating