JustAppSec
Back to news

NVFlare Dashboard pre-auth bypass allows privilege escalation and code execution

2 min readPublished 28 Apr 2026Source: NVIDIA Support Security Bulletin
CVE-2026-24178NewsAI SecurityIdentity

TL;DR - NVFlare Dashboard trusts a user-controlled key for authentication decisions, letting an unauthenticated attacker bypass authorisation, escalate privileges, and potentially execute code. Update to NVIDIA FLARE SDK v2.7.2 or later.

What happened

NVIDIA FLARE is a federated learning SDK. NVFlare Dashboard is the management surface that handles user accounts, organisations, and training-workflow control for FLARE deployments.

NVIDIA's April 28, 2026 security bulletin discloses CVE-2026-24178 (CVSS 9.8, Critical): the Dashboard's user management and authentication path trusts a key that is supplied by the caller. An unauthenticated attacker can supply a crafted key, bypass authorisation entirely, and reach paths that carry privilege escalation and code execution impact.

This is the shape of bug that ends badly fast. A pre-auth bypass on an admin plane, sitting next to the credentials and control paths that orchestrate training workflows. If your FLARE deployment lives in a shared lab or multi-tenant platform, the blast radius is wide.

Who is impacted

  • Deployments running NVIDIA FLARE SDK on Linux or MacOS with versions prior to 2.7.2.
  • Environments where NVFlare Dashboard is reachable from untrusted networks.
ItemDetail
Affected componentNVFlare Dashboard user management and authentication
Affected versionsAll versions prior to 2.7.2
Fixed version2.7.2
SeverityCVSS 3.1 9.8 (Critical)
CWECWE-639

What to do now

  • Update now. NVIDIA's guidance is direct:

    "To protect your system, clone or update this software to NVIDIA FLARE SDK v2.7.2 or later"

  • Inventory every place NVIDIA FLARE SDK is running - source checkouts, built containers, base images, CI artefacts. Confirm none are pinned to a pre-2.7.2 build.
  • Map network exposure for every Dashboard instance:
    • check ingress rules, VPN boundaries, and reverse-proxy configs to understand who can reach the Dashboard
    • tighten that surface while you patch if you cannot update immediately
  • Review Dashboard access logs for unexpected activity around user management endpoints - unusual access patterns before your patch date are worth investigating.
  • If you suspect the environment was reached before patching, rotate credentials accessible from within the FLARE deployment.

Related

Research

Guides

Training

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.