Horovod Insecure Deserialization Vulnerability in KVStore HTTP Server Component Allowing Remote Code Execution

Vulnerability

A vulnerability allowing insecure deserialization has been identified in Horovod versions through 0.28.1. This issue resides in the KVStore HTTP server component, which is used for distributed task coordination. The KVStore server lacks proper authentication and authorization controls, enabling remote attackers to send arbitrary data via HTTP PUT requests. When a Horovod worker retrieves data from the KVStore using HTTP GET, it deserializes the data with cloudpickle.loads() without verifying its source or integrity. This flaw can be exploited by sending a malicious pickle payload to the server before the legitimate data, causing the worker to deserialize and execute arbitrary code, resulting in remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system.

Added: May 12, 2026, 6:30 PM

Updated: May 12, 2026, 6:30 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

7.5

exploitability

7.1

remediation

0.0

relevance

8.1

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

7.5

exploitability

7.1

remediation

0.0

relevance

8.1

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Horovod Insecure Deserialization Vulnerability in KVStore HTTP Server Component Allowing Remote Code Execution

Vulnerability

Impact

Affected Products

Horovod

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating