CVE-2026-24178

NVIDIA · NVFlare Dashboard

NVIDIA NVFlare Dashboard contains an authentication and authorization bypass vulnerability allowing unauthenticated attackers to achieve privilege escalation and remote code execution.

Executive summary

A critical vulnerability in the NVIDIA NVFlare Dashboard allows unauthenticated attackers to bypass authorization controls, potentially leading to full system compromise.

Vulnerability

The dashboard suffers from a flaw in its user management and authentication subsystem. By injecting user-controlled keys, an unauthenticated attacker can bypass authorization checks, enabling administrative actions, data tampering, and arbitrary code execution.

Business impact

The CVSS score of 9.8 reflects the extreme severity of this flaw, as it permits unauthorized actors to gain full control over the application. Successful exploitation could result in the total compromise of sensitive research data, loss of intellectual property, and significant operational downtime due to code execution and denial-of-service capabilities.

Remediation

Immediate Action: Update the NVIDIA NVFlare Dashboard to the latest version provided by the vendor to address the authorization logic flaw.

Proactive Monitoring: Review system access logs for anomalous authentication requests or unauthorized attempts to access administrative functions.

Compensating Controls: Implement a Web Application Firewall (WAF) with strict request filtering to block suspicious key-based authentication attempts until a patch can be applied.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

This vulnerability represents a high-risk security gap that can be leveraged by unauthenticated external actors. Administrators should prioritize applying the vendor-supplied security update immediately to prevent unauthorized access and potential system-wide compromise.