CVE-2026-15044

MEDIUM
Published July 8, 2026

A flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardrails, if a specific security setting is not enabled, these services can expose their communication channels without requiring users to prove their identity. This allows any other program within the...

Full CISO analysis pending enrichment.

How severe is it?

CVSS 3.1
6.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Adjacent
AC Low
PR Low
UI None
S Unchanged
C High
I Low
A None

What should I do?

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-15044?

A flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardrails, if a specific security setting is not enabled, these services can expose their communication channels without requiring users to prove their identity. This allows any other program within the cluster to access the AI guardrails and orchestrator without proper authorization. An attacker could exploit this to gain unauthorized access to sensitive information and potentially make limited changes to the AI models.

Is CVE-2026-15044 actively exploited?

No confirmed active exploitation of CVE-2026-15044 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-15044?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-15044?

CVE-2026-15044 has a CVSS v3.1 base score of 6.3 (MEDIUM).

What are the technical details?

Original Advisory

A flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardrails, if a specific security setting is not enabled, these services can expose their communication channels without requiring users to prove their identity. This allows any other program within the cluster to access the AI guardrails and orchestrator without proper authorization. An attacker could exploit this to gain unauthorized access to sensitive information and potentially make limited changes to the AI models.

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Timeline

Published
July 8, 2026
Last Modified
July 8, 2026
First Seen
July 8, 2026