{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26220", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-11T20:08:07.944Z", "datePublished": "2026-02-17T01:52:03.650Z", "dateUpdated": "2026-02-17T14:37:46.080Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "packageName": "LightLLM", "product": "LightLLM", "repo": "https://github.com/ModelTC/lightllm", "vendor": "ModelTC", "versions": [{"lessThanOrEqual": "1.1.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Valentin Lobstein (Chocapikk)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achieve arbitrary code execution."}], "value": "LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achieve arbitrary code execution."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-17T01:52:03.650Z"}, "references": [{"tags": ["technical-description", "exploit"], "url": "https://chocapikk.com/posts/2026/lightllm-pickle-rce/"}, {"tags": ["issue-tracking", "patch"], "url": "https://github.com/ModelTC/LightLLM/issues/1213"}, {"tags": ["product"], "url": "https://lightllm-en.readthedocs.io/en/latest/index.html"}, {"tags": ["product"], "url": "https://github.com/ModelTC/lightllm/blob/a27dfc88c2144ed51a6e160b6fbe20aad66c8fe0/lightllm/server/api_http.py#L310"}, {"tags": ["product"], "url": "https://github.com/ModelTC/lightllm/blob/a27dfc88c2144ed51a6e160b6fbe20aad66c8fe0/lightllm/server/api_http.py#L331"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/lightllm-pd-mode-unsafe-deserialization-rce"}], "source": {"discovery": "EXTERNAL"}, "title": "LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T14:37:33.792813Z", "id": "CVE-2026-26220", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:37:46.080Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26220", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-17T14:37:33.792813Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:37:39.175Z"}}], "cna": {"title": "LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Valentin Lobstein (Chocapikk)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/ModelTC/lightllm", "vendor": "ModelTC", "product": "LightLLM", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.0"}], "packageName": "LightLLM", "defaultStatus": "unknown"}], "references": [{"url": "https://chocapikk.com/posts/2026/lightllm-pickle-rce/", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/ModelTC/LightLLM/issues/1213", "tags": ["issue-tracking", "patch"]}, {"url": "https://lightllm-en.readthedocs.io/en/latest/index.html", "tags": ["product"]}, {"url": "https://github.com/ModelTC/lightllm/blob/a27dfc88c2144ed51a6e160b6fbe20aad66c8fe0/lightllm/server/api_http.py#L310", "tags": ["product"]}, {"url": "https://github.com/ModelTC/lightllm/blob/a27dfc88c2144ed51a6e160b6fbe20aad66c8fe0/lightllm/server/api_http.py#L331", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/lightllm-pd-mode-unsafe-deserialization-rce", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achieve arbitrary code execution.", "supportingMedia": [{"type": "text/html", "value": "LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achieve arbitrary code execution.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-17T01:52:03.650Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26220", "state": "PUBLISHED", "dateUpdated": "2026-02-17T14:37:46.080Z", "dateReserved": "2026-02-11T20:08:07.944Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-17T01:52:03.650Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achieve arbitrary code execution."}, {"lang": "es", "value": "La versi\u00f3n 1.1.0 y anteriores de LightLLM contienen una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo no autenticada en el modo de desagregaci\u00f3n PD (prefill-decode). El nodo maestro PD expone puntos finales WebSocket que reciben tramas binarias y pasan los datos directamente a pickle.loads() sin autenticaci\u00f3n ni validaci\u00f3n. Un atacante remoto que puede alcanzar el maestro PD puede enviar una carga \u00fatil manipulada para lograr la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2026-26220", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-17T03:16:01.893", "references": [{"source": "disclosure@vulncheck.com", "url": "https://chocapikk.com/posts/2026/lightllm-pickle-rce/"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/ModelTC/LightLLM/issues/1213"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/ModelTC/lightllm/blob/a27dfc88c2144ed51a6e160b6fbe20aad66c8fe0/lightllm/server/api_http.py#L310"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/ModelTC/lightllm/blob/a27dfc88c2144ed51a6e160b6fbe20aad66c8fe0/lightllm/server/api_http.py#L331"}, {"source": "disclosure@vulncheck.com", "url": "https://lightllm-en.readthedocs.io/en/latest/index.html"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/lightllm-pd-mode-unsafe-deserialization-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.0]"}}], "product": "lightllm", "vendor": "modeltc"}], "analysis": {"en": {"generated_at": "2026-04-17T18:58:47.944672+00:00", "value": {"mitigation_remediation": ["Upgrade LightLLM to the latest version that removes the pickle.loads usage in PD mode.", "If an upgrade is not immediately possible, disable PD mode or block the WebSocket endpoints behind firewall rules so that only trusted internal hosts can reach the PD master.", "Restrict network access to the PD master node, isolating it from the public or less trusted segments and applying least\u2011privilege controls on the host.", "As a temporary safeguard, modify the server code to validate or reject untrusted pickle payloads, or replace pickle with a safer serialization library."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of ModelTC LightLLM with version 1.1.0 or lower that use PD mode. No specific patch versions have been listed in the data; the issue is inherent to the vulnerable code paths in these releases.", "description_and_impact": "LightLLM versions 1.1.0 and earlier contain an unsafe deserialization flaw in the PD (prefill-decode) disaggregation mode. The application exposes WebSocket endpoints that accept binary frames and feed them directly to pickle.loads() without any authentication or input validation. This design allows a remote attacker who can reach the PD master node to supply a crafted pickle payload that is executed with the privileges of the running process, providing full control over the system. The vulnerability is classified as CWE-502 and carries a CVSS base score of 9.3, indicating a severe threat to confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 9.3 combined with an EPSS less than 1\u202f% suggests the vulnerability is highly severe but currently has a low probability of being exploited in the wild. The lack of authentication or input checks means an attacker can exploit it remotely via a WebSocket connection to the PD master node. The vulnerability is not listed in CISA\u2019s KEV catalog, implying no confirmed exploit activity to date. The attack surface is limited to systems that expose the WebSocket endpoints publicly or to untrusted networks."}}}}, "created": "2026-02-17T08:48:55.402817+00:00", "updated": "2026-04-17T19:00:11.060689+00:00", "vendors": ["modeltc", "modeltc$PRODUCT$lightllm"]}