DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26220: LightLLM RCE: When 'High Performance' Means Faster Shells

#security #cve #cybersecurity

LightLLM RCE: When 'High Performance' Means Faster Shells

Vulnerability ID: CVE-2026-26220
CVSS Score: 9.3
Published: 2026-02-17

LightLLM, a high-performance LLM inference engine, contains a critical Remote Code Execution (RCE) vulnerability in its Prefill-Decode (PD) disaggregation system. The flaw arises from the unsafe deserialization of untrusted data using Python's pickle module on exposed WebSocket endpoints. Compounding the issue, the application explicitly forbids binding to localhost, forcing these vulnerable endpoints to be network-accessible. This allows unauthenticated attackers to execute arbitrary code with the privileges of the inference server, potentially compromising high-value GPU clusters and proprietary models.

TL;DR

Critical RCE in LightLLM <= 1.1.0 via unsafe Python pickle deserialization. The server forces network exposure and lacks authentication on WebSocket endpoints used for worker registration. Attackers can send malicious pickle payloads to achieve full system compromise.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502 (Deserialization of Untrusted Data)
  • CVSS v4.0: 9.3 (Critical)
  • Attack Vector: Network (WebSocket)
  • Authentication: None Required
  • Privileges: User (Process Owner)
  • Exploit Status: PoC Available

Affected Systems

  • LightLLM Inference Engine <= 1.1.0
  • LightLLM PD Master Node
  • LightLLM: <= 1.1.0 (Fixed in: N/A)

Exploit Details

  • GitHub: Original issue disclosure identifying the pickle RCE.

Mitigation Strategies

  • Replace Pickle with JSON/MsgPack
  • Implement mTLS for inter-node communication
  • Strict Network Firewalling

Remediation Steps:

  1. Locate lightllm/server/api_http.py.
  2. Replace pickle.loads(data) with json.loads(data.decode('utf-8')) and update worker logic to send JSON.
  3. Remove the assertion preventing localhost binding in the server startup script.
  4. Deploy firewall rules to block external access to the PD Master port.

References

Read the full report for CVE-2026-26220 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)