{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24204", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2026-01-21T19:09:34.870Z", "datePublished": "2026-04-28T17:46:15.175Z", "dateUpdated": "2026-04-28T17:46:15.175Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-04-28T17:46:15.175Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Information Disclosure"}]}], "affected": [{"vendor": "NVIDIA", "product": "FLARE SDK", "platforms": ["Linux/MacOS"], "versions": [{"status": "affected", "version": "All versions prior to 2.7.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NVIDIA Flare SDK contains a vulnerability where an Attacker may cause an Improper Input Validation by path traversing. A successful exploit of this vulnerability may lead to information disclosure.", "supportingMedia": [{"type": "text/html", "base64": true, "value": "NVIDIA Flare SDK contains a vulnerability where an Attacker may cause an Improper Input Validation by path traversing. A successful exploit of this vulnerability may lead to information disclosure."}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24204"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-24204"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5819"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Flare SDK contains a vulnerability where an Attacker may cause an Improper Input Validation by path traversing. A successful exploit of this vulnerability may lead to information disclosure."}], "id": "CVE-2026-24204", "lastModified": "2026-04-28T20:10:42.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2026-04-28T19:36:45.397", "references": [{"source": "psirt@nvidia.com", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24204"}, {"source": "psirt@nvidia.com", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5819"}, {"source": "psirt@nvidia.com", "url": "https://www.cve.org/CVERecord?id=CVE-2026-24204"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T23:11:12.074432+00:00", "value": {"mitigation_remediation": ["Check the NVIDIA support portal and advisories for an official patch or update addressing the path traversal vulnerability in the Flare SDK.", "Implement or enforce strict input validation on any data passed to the SDK, ensuring file paths cannot include directory traversal sequences.", "Restrict file system permissions so that the application process running the SDK can only read files within a designated safe directory.", "Isolate the SDK\u2019s execution in a sandboxed environment or container with minimal file system access until a patch is applied."], "summary": {"action": "Assess Impact", "impact": "Information Disclosure via Path Traversal"}, "threat_synthesis": {"affected_systems": "Vendors affected include NVIDIA, specifically products using the Flare SDK. No specific version numbers are disclosed in the available data, so all installations of the Flare SDK should be evaluated for the presence of the flaw.", "description_and_impact": "NVIDIA Flare SDK has an improper input validation flaw that allows an attacker to perform path traversal. This could enable the attacker to read files outside the intended directory, potentially leaking sensitive information. The weakness is categorized as CWE\u201120, indicating untrusted data used in file path construction.", "risk_and_exploitability": "The CVSS v3.1 score of 6.5 indicates a moderate severity. EPSS data is unavailable, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. The attacker could potentially exploit this flaw if an input channel to the SDK can be controlled, most likely through user\u2011supplied data or a network request. The impact is limited to information disclosure; no remote code execution or denial\u2011of\u2011service is indicated."}}}}, "created": "2026-04-28T23:15:43.857069+00:00", "title": "Improper Input Validation in NVIDIA Flare SDK Leading to Path Traversal and Information Disclosure", "updated": "2026-04-28T23:15:43.857081+00:00", "vendors": []}