LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achieve arbitrary code execution.
Security readout for executives and security teams
Plain-English summary
LightLLM PD mode can let an unauthenticated remote attacker run code on the PD master if they can reach its WebSocket endpoints. This is critical because the affected service may run inside AI inference infrastructure and compromise could lead to full host control.
Executive priority
Treat this as urgent for any organization running LightLLM in PD mode. Prioritize discovery and network containment first, then follow vendor guidance for durable remediation.
Technical view
CVE-2026-26220 is a CWE-502 unsafe deserialization flaw in LightLLM 1.1.0 and prior. In PD disaggregation mode, the PD master accepts binary WebSocket frames and passes them to pickle.loads() without authentication or validation, enabling remote code execution when the endpoint is reachable.
Likely exposure
Exposure is limited to LightLLM deployments using PD prefill-decode disaggregation mode where the PD master WebSocket endpoints are reachable by an attacker. The affected metadata is incomplete, so confirm product version and mode directly.
Exploitation context
The source bundle includes a technical write-up tagged as exploit and a third-party advisory. It does not show CISA KEV listing or confirmed active exploitation, so active exploitation should not be assumed.
Researcher notes
Key evidence is unsafe pickle deserialization reachable through unauthenticated PD master WebSocket handling. Avoid relying only on package metadata because the source bundle’s affected-version structure is incomplete despite the narrative stating 1.1.0 and prior.
Mitigation direction
Identify all LightLLM deployments and confirm whether PD mode is enabled.
Restrict PD master WebSocket access to trusted internal components only.
Disable PD mode where it is not operationally required.
Check ModelTC guidance for a fixed version or official workaround.
Monitor the GitHub issue and VulnCheck advisory for updates.
Validation and detection
Inventory deployed LightLLM versions and compare against 1.1.0 and prior.
Confirm PD master endpoints are not internet-accessible.
Review firewall and service mesh rules around PD master traffic.
Check logs for unexpected WebSocket connections to PD master endpoints.
Verify remediation by confirming only trusted nodes can reach PD master.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.