CVE-2026-5535

Summary

A security flaw has been discovered in FedML-AI FedML up to 0.8.9. This impacts an unknown function of the file FileUtils.java of the component MQTT Message Handler. Performing a manipulation of the argument dataSet results in path traversal. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
FedML-AIFedML0.8.0affected
FedML-AIFedML0.8.1affected
FedML-AIFedML0.8.2affected
FedML-AIFedML0.8.3affected
FedML-AIFedML0.8.4affected
FedML-AIFedML0.8.5affected
FedML-AIFedML0.8.6affected
FedML-AIFedML0.8.7affected
FedML-AIFedML0.8.8affected
FedML-AIFedML0.8.9affected

Weaknesses

  • CWE-22: Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References