{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24177", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:31.778Z", "datePublished": "2026-04-21T16:17:26.431Z", "dateUpdated": "2026-04-21T16:42:36.727Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-04-21T16:17:26.431Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Information Disclosure"}]}], "affected": [{"vendor": "NVIDIA", "product": "KAI Scheduler", "platforms": ["Linux"], "versions": [{"status": "affected", "version": "All versions prior to 0.13.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24177"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24177"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5818"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T16:41:54.918328Z", "id": "CVE-2026-24177", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:42:36.727Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24177", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T16:41:54.918328Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:42:33.141Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Information Disclosure"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "KAI Scheduler", "versions": [{"status": "affected", "version": "All versions prior to 0.13.0"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24177"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24177"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5818"}], "x_generator": {"engine": "NVIDIA PSIRT"}, "descriptions": [{"lang": "en", "value": "NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure.", "supportingMedia": [{"type": "text/html", "value": "NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure.", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-04-21T16:17:26.431Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24177", "state": "PUBLISHED", "dateUpdated": "2026-04-21T16:42:36.727Z", "dateReserved": "2026-01-21T19:09:31.778Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-04-21T16:17:26.431Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure."}], "id": "CVE-2026-24177", "lastModified": "2026-04-22T21:24:26.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:23.787", "references": [{"source": "psirt@nvidia.com", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24177"}, {"source": "psirt@nvidia.com", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5818"}, {"source": "psirt@nvidia.com", "url": "https://www.cve.org/CVERecord?id=CVE-2026-24177"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.13.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "KAI Scheduler", "source": "cna", "vendor": "NVIDIA"}, "product": "kai_scheduler", "vendor": "nvidia"}], "analysis": {"en": {"generated_at": "2026-04-21T22:41:41.150157+00:00", "value": {"mitigation_remediation": ["Deploy the latest NVIDIA KAI Scheduler patch or upgrade to a version that contains the authentication fix.", "Restrict network traffic to the scheduler's API by configuring firewalls or VPNs so that only trusted management hosts can reach the endpoints.", "Enable and review audit logs for API requests to detect unauthorized access attempts and adjust access controls accordingly."], "summary": {"action": "Apply Patch", "impact": "Information disclosure"}, "threat_synthesis": {"affected_systems": "NVIDIA KAI Scheduler is the affected product. No specific version range is listed; any version of the scheduler that has not been updated by NVIDIA after the advisory is considered vulnerable.", "description_and_impact": "This vulnerability allows an attacker to call KAI Scheduler API endpoints without authentication, meaning an unauthenticated actor can retrieve data that the scheduler exposes. The flaw is based on improper authentication handling (CWE-306) and, if exploited, can result in the unintended disclosure of internal scheduler information to unauthorized users.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.7, indicating high severity. While EPSS is not available, the lack of a mitigation or workaround suggests that the opportunity for exploitation exists, especially in environments where the scheduler APIs are exposed to an untrusted network or lack strict access controls. The likely attack vector is a direct network connection to the API endpoints; the attacker does not need privileged credentials to access them."}}}}, "created": "2026-04-21T22:45:16.061943+00:00", "title": "Unauthorized API Access Leading to Information Disclosure in NVIDIA KAI Scheduler", "updated": "2026-04-22T11:46:15.340746+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$kai_scheduler"]}