{"id":"PYSEC-2026-100","details":"NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code execution, and denial of service.","aliases":["CVE-2026-24178","GHSA-jqp3-qrgh-4846"],"modified":"2026-06-10T17:02:26.310432093Z","published":"2026-04-28T19:36:45.127Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24178"},{"type":"ADVISORY","url":"https://nvidia.custhelp.com/app/answers/detail/a_id/5819"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-24178"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-jqp3-qrgh-4846"}],"affected":[{"package":{"name":"nvflare","ecosystem":"PyPI","purl":"pkg:pypi/nvflare"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.2"}]}],"versions":["0.1.3","0.9.0","1.0.0","1.0.1","1.0.2","1.1.0","1.1.1","2.0.0","2.0.1","2.0.10","2.0.11","2.0.12","2.0.13","2.0.14","2.0.15","2.0.16","2.0.18","2.0.19","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.2.0","2.2.0rc1","2.2.1","2.2.1rc1","2.2.1rc4","2.2.1rc5","2.2.1rc6","2.2.1rc7","2.2.1rc8","2.2.1rc9","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.3.0","2.3.0rc1","2.3.0rc2","2.3.0rc3","2.3.0rc4","2.3.0rc5","2.3.0rc6","2.3.0rc7","2.3.0rc8","2.3.1","2.3.10","2.3.11","2.3.12","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.3.8","2.3.9","2.4.0","2.4.0rc1","2.4.0rc2","2.4.0rc3","2.4.0rc4","2.4.0rc5","2.4.0rc6","2.4.0rc7","2.4.0rc8","2.4.0rc9","2.4.1","2.4.1rc1","2.4.1rc2","2.4.1rc3","2.4.1rc4","2.4.1rc5","2.4.1rc6","2.4.1rc7","2.4.1rc8","2.4.2","2.4.2rc3","2.5.0","2.5.0rc1","2.5.0rc10","2.5.0rc11","2.5.0rc12","2.5.0rc2","2.5.0rc3","2.5.0rc4","2.5.0rc5","2.5.0rc6","2.5.0rc7","2.5.0rc8","2.5.0rc9","2.5.1","2.5.1rc1","2.5.1rc2","2.5.2","2.6.0","2.6.0rc1","2.6.0rc2","2.6.0rc3","2.6.0rc4","2.6.0rc5","2.6.1","2.6.2","2.6.3","2.7.0","2.7.0rc1","2.7.0rc10","2.7.0rc2","2.7.0rc3","2.7.0rc4","2.7.0rc5","2.7.0rc6","2.7.0rc7","2.7.0rc8","2.7.0rc9","2.7.1","2.7.1rc1","2.7.1rc2","2.7.2rc1","2.7.2rc10","2.7.2rc11","2.7.2rc12","2.7.2rc13","2.7.2rc14","2.7.2rc15","2.7.2rc16","2.7.2rc17","2.7.2rc18","2.7.2rc19","2.7.2rc2","2.7.2rc20","2.7.2rc3","2.7.2rc4","2.7.2rc5","2.7.2rc6","2.7.2rc7","2.7.2rc8","2.7.2rc9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/nvflare/PYSEC-2026-100.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}