CVE-2026-5536

Summary

A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpc_server.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
FedML-AIFedML0.8.0affected
FedML-AIFedML0.8.1affected
FedML-AIFedML0.8.2affected
FedML-AIFedML0.8.3affected
FedML-AIFedML0.8.4affected
FedML-AIFedML0.8.5affected
FedML-AIFedML0.8.6affected
FedML-AIFedML0.8.7affected
FedML-AIFedML0.8.8affected
FedML-AIFedML0.8.9affected

Weaknesses

  • CWE-502: Deserialization
  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References