LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-24178

CVE-2026-24178 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 28, 2026

NVIDIA NVFlare Dashboard - Authorization Bypass

Published: April 28, 2026Updated: April 28, 2026Remote Exploitable

Overview

NVIDIA NVFlare Dashboard contains an authorization bypass caused by user-controlled key in the user management and authentication system, letting unauthenticated attackers escalate privileges, tamper data, disclose information, execute code, and cause denial of service, exploit requires no authentication.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 14.2%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can bypass authorization to escalate privileges, modify data, disclose information, execute code, and cause denial of service.

Mitigation

Update to the latest version with the vulnerability fixed.

References

Social Media Activity(2 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Apr 28, 2026

šŸ”“ CVE-2026-24178 - Critical (9.8) NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-24178/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
AA
AA
@AAKL
Apr 28, 2026

Nvidia has posted two advisories: "NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key." - Critical: CVE-2026-24178, CVE-2026-24186, and CVE-2026-24204: NVIDIA FLARE SDK - April 2026 https://nvidia.custhelp.com/app/answers/detail/a_id/5819 "NVIDIA NemoClaw contains a vulnerability in the sandbox environment initialization component where a remote attacker may cause improper access control by sending prompt-injected content." - High: CVE-2026-24222 and CVE-2026-24231: https://nvidia.custhelp.com/app/answers/detail/a_id/5837 #Nvidia #infoec #vulnerability

View original post

Related Resources

Details

CVE ID
CVE-2026-24178
Severity
Critical
CVSS Score
9.8
Type
broken_access_control
Status
unconfirmed
EPSS
14.2%
Social Posts
2

CWE

  • CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

14.2%Probability of exploitation in the next 30 days