CVE-2026-44484 — CRITICAL AI Security Vulnerability

# Security Advisory: Compromise of PyTorch Lightning PyPI Package Versions **Published:** 2026-04-30 **Last Updated:** 2026-04-30 Lightning AI has identified a security incident affecting certain versions of a PyPI package. ## What happened Lightning AI has determined that one or more...

Full CISO analysis pending enrichment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch-lightning	pip	= 2.6.2	No patch
31.1K OpenSSF 5.2 1.6K dependents Pushed 5d ago 50% patched ~496d to patch Full package profile →

Do you use pytorch-lightning? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-44484?

Compromise of PyTorch Lightning PyPi Package Versions

Is CVE-2026-44484 actively exploited?

No confirmed active exploitation of CVE-2026-44484 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44484?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-44484?

No CVSS score has been assigned yet.

Technical Details

NVD Description

# Security Advisory: Compromise of PyTorch Lightning PyPI Package Versions **Published:** 2026-04-30 **Last Updated:** 2026-04-30 Lightning AI has identified a security incident affecting certain versions of a PyPI package. ## What happened Lightning AI has determined that one or more released versions of this package have been compromised and include malicious code. The current investigation indicates that the affected versions have introduced functionality consistent with a credential harvesting mechanism. There is a continuing analysis the scope and behaviour of the code. At this stage, the root cause of the compromise is still under investigation. ## What versions are affected Lightning AI is currently working to confirm the exact set of impacted versions. The following versions are determined as affected, and developers should delete them from their systems: - `2.6.2` - `2.6.3` Lightning AI will update this advisory if the versions impacted by this vulnerability change. ## What you should do immediately If developers have installed or are running any potentially affected versions on their application: - Assume the environment may be compromised - Immediately rotate all credentials and secrets that may have been exposed, including: - API keys - Access tokens - SSH keys - Service account credentials - Rebuild affected systems from a known clean state - Pin PyTorch Lightning to version `2.6.1` - Review logs for any suspicious or unauthorised activity ## Actions Lightning AI has taken - Quarantined malicious versions from PyPI - Recommended using version `2.6.1`: https://github.com/Lightning-AI/pytorch-lightning/releases/tag/2.6.1 - Revoked and rotated all internal credentials associated with our release process - Initiated a full investigation into the compromise ## Ongoing investigation Lightning AI is actively working to: - Identify the exact mechanism of compromise - Confirm the full set of affected versions - Determine the behaviour and impact of the malicious code - Assess any downstream impact to users Lightning AI will provide updates as soon as more information becomes available. ## Commitment to transparency Lightning AI takes the security of users and the integrity of the software supply chain extremely seriously. Lightning AI will continue to share timely and accurate updates as the investigation progresses. ## Contact If there are any questions or if there are concerns that a consuming project may be impacted, please send an email to: **security@lightning.ai**