CRITICAL🇵🇱 Wersja polska

CVE-2026-24207

CVSS 9.8v3.1pub. 2026-05-20

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) indicates that an attacker can gain access to protected resources or server functions through an alternative path or communication channel, bypassing standard authentication mechanisms. The attack requires no privileges or user interaction and can be conducted remotely over the network. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms low attack complexity and no prerequisites.

Impact

An attacker can execute arbitrary code on the server (RCE), obtain elevated privileges, modify model or inference request data, cause service unavailability (DoS), or disclose sensitive information processed by the server.

Mitigation & patch

Apply patches available from the vendor in accordance with the references — detailed information about patched versions is available in the NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5828. Until patches are applied, it is recommended to restrict network access to Triton Inference Server instances through firewall or network segmentation mechanisms.

Who is affected

NVIDIA Triton Inference Server — versions indicated in vendor references (NVIDIA security advisory ID 5828)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Nvidia Triton Inference Server

    APP
    Nvidia
    < 26.03
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth BypassDoS
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2022-47986CRITICAL9.8⚠ KEVten sam produkt

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...

CVE-2022-22954CRITICAL9.8⚠ KEVten sam produkt

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...

CVE-2020-4006CRITICAL9.1⚠ KEVten sam produkt

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...