CVE-2026-26210: Transformers pickle RCE

CISO Take

KTransformers through 0.5.3 exposes a ZMQ ROUTER socket bound to all network interfaces with zero authentication in its balance_serve mode, deserializing incoming messages with Python's pickle.loads() — a textbook unauthenticated RCE primitive. With a CVSS score of 9.8 and a public technical writeup with proof-of-concept exploit already published (chocapikk.com), the bar for exploitation is trivially low; any network-accessible KTransformers inference node running balance_serve is effectively pre-owned. The 8,333 downstream dependents and 31 prior CVEs in the same package indicate a systemic security posture problem at the project level. Patch immediately to the version that includes PR #1944, or disable balance_serve mode and enforce host-level firewall rules restricting ZMQ port access to trusted peers only while patching.

Sources: NVD OpenSSF ATLAS chocapikk.com VulnCheck GitHub Advisory

What is the risk?

Critical. CVSS 9.8 with network-accessible attack vector, no credentials required, no user interaction needed, and a public exploit already circulating. KTransformers is deployed in distributed LLM inference serving environments, typically with elevated system privileges and access to sensitive model weights and inference data. The combination of unauthenticated network exposure, trivial pickle deserialization exploitation, and a published PoC makes this a high-probability, high-impact scenario requiring immediate response.

How does the attack unfold?

Reconnaissance

Adversary scans internet-facing or internal network ranges for open ZMQ ROUTER ports associated with KTransformers balance_serve deployments.

AML.T0006

Initial Access

Adversary connects directly to the unauthenticated ZMQ ROUTER socket exposed on all interfaces — no credentials or prior access required.

AML.T0049

Exploitation

Adversary sends a crafted ZMQ message containing a malicious Python pickle payload; pickle.loads() deserializes it without validation, executing arbitrary OS commands.

AML.T0049

Impact

Adversary achieves full system compromise with ktransformers process privileges — exfiltrating model weights, injecting backdoored inference logic, or pivoting laterally to connected AI infrastructure.

AML.T0072

Reconnaissance

Adversary scans internet-facing or internal network ranges for open ZMQ ROUTER ports associated with KTransformers balance_serve deployments.

AML.T0006

Initial Access

Adversary connects directly to the unauthenticated ZMQ ROUTER socket exposed on all interfaces — no credentials or prior access required.

AML.T0049

Exploitation

Adversary sends a crafted ZMQ message containing a malicious Python pickle payload; pickle.loads() deserializes it without validation, executing arbitrary OS commands.

AML.T0049

Impact

Adversary achieves full system compromise with ktransformers process privileges — exfiltrating model weights, injecting backdoored inference logic, or pivoting laterally to connected AI infrastructure.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 39% patched ~97d to patch Full package profile →

Do you use Transformers? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch: Apply the fix from PR #1944 — verify your installed version is beyond 0.5.3 and specifically includes the scheduler RPC authentication fix before re-enabling balance_serve mode.
Immediate workaround if patching is delayed: disable balance_serve mode entirely; switch to single-node inference mode which does not expose the vulnerable ZMQ ROUTER socket.
Network segmentation: enforce egress/ingress firewall rules restricting ZMQ scheduler port access to explicitly trusted inference worker IPs only — treat this port as equivalent to an unauthenticated admin interface.
Detection: scan your environment for ktransformers processes bound to ZMQ ports on 0.0.0.0 using 'ss -tlnp | grep zmq' or netstat; alert on outbound connections from inference servers to unexpected hosts following a restart.
Review: audit the OpenSSF Scorecard 6.4/10 and 31 prior CVEs — evaluate whether KTransformers meets your supply chain risk tolerance for production AI infrastructure.

How is it classified?

Code Execution Auth Bypass Inference Framework AML.T0006 - Active Scanning AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms exist to document and mitigate AI risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-26210?

KTransformers through 0.5.3 exposes a ZMQ ROUTER socket bound to all network interfaces with zero authentication in its balance_serve mode, deserializing incoming messages with Python's pickle.loads() — a textbook unauthenticated RCE primitive. With a CVSS score of 9.8 and a public technical writeup with proof-of-concept exploit already published (chocapikk.com), the bar for exploitation is trivially low; any network-accessible KTransformers inference node running balance_serve is effectively pre-owned. The 8,333 downstream dependents and 31 prior CVEs in the same package indicate a systemic security posture problem at the project level. Patch immediately to the version that includes PR #1944, or disable balance_serve mode and enforce host-level firewall rules restricting ZMQ port access to trusted peers only while patching.

Is CVE-2026-26210 actively exploited?

No confirmed active exploitation of CVE-2026-26210 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-26210?

1. Patch: Apply the fix from PR #1944 — verify your installed version is beyond 0.5.3 and specifically includes the scheduler RPC authentication fix before re-enabling balance_serve mode. 2. Immediate workaround if patching is delayed: disable balance_serve mode entirely; switch to single-node inference mode which does not expose the vulnerable ZMQ ROUTER socket. 3. Network segmentation: enforce egress/ingress firewall rules restricting ZMQ scheduler port access to explicitly trusted inference worker IPs only — treat this port as equivalent to an unauthenticated admin interface. 4. Detection: scan your environment for ktransformers processes bound to ZMQ ports on 0.0.0.0 using 'ss -tlnp | grep zmq' or netstat; alert on outbound connections from inference servers to unexpected hosts following a restart. 5. Review: audit the OpenSSF Scorecard 6.4/10 and 31 prior CVEs — evaluate whether KTransformers meets your supply chain risk tolerance for production AI infrastructure.

What systems are affected by CVE-2026-26210?

This vulnerability affects the following AI/ML architecture patterns: model serving, LLM inference infrastructure, distributed inference, MLOps pipelines.

What is the CVSS score for CVE-2026-26210?

CVE-2026-26210 has a CVSS v3.1 base score of 9.8 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

model servingLLM inference infrastructuredistributed inferenceMLOps pipelines

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process.

Exploitation Scenario

An adversary scans internet-facing or internal network ranges for KTransformers scheduler RPC ports (default ZMQ ROUTER configuration). Upon identifying a reachable endpoint running balance_serve mode, they send a crafted ZMQ message containing a malicious Python pickle payload — for example, one executing a reverse shell callback. Since no authentication is enforced and pickle.loads() processes the message without validation, the payload executes immediately with the privileges of the ktransformers process. From this foothold the attacker can exfiltrate model weights, inject backdoored inference responses, pivot to connected databases or Kubernetes API servers, or establish persistence for long-term access to AI inference infrastructure.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.