๐Ÿ” CVE Alert

CVE-2026-14621

LOW 3.1

FederatedAI FATE OSX Broker QueuePushReqStreamObserver.java QueuePushReqStreamObserver.initEggroll wrong session

CVSS Score
3.1
EPSS Score
0.0%
EPSS Percentile
0th

A vulnerability has been found in FederatedAI FATE up to 2.2.0. This affects the function QueuePushReqStreamObserver.initEggroll of the file java/osx/osx-broker/src/main/java/org/fedai/osx/broker/grpc/QueuePushReqStreamObserver.java of the component OSX Broker. Such manipulation of the argument rollSiteSessionId/dstRole/dstPartyId leads to exposure of data element to wrong session. The attack can be executed remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.

CWE CWE-488
Vendor federatedai
Product fate
Published Jul 4, 2026
Stay Ahead of the Next One

Get instant alerts for federatedai fate

Be the first to know when new low vulnerabilities affecting federatedai fate are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

FederatedAI / FATE
2.0 2.1 2.2.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
vuldb.com: https://vuldb.com/vuln/376137 vuldb.com: https://vuldb.com/vuln/376137/cti vuldb.com: https://vuldb.com/cve/CVE-2026-14621 vuldb.com: https://vuldb.com/submit/844900 github.com: https://github.com/FederatedAI/FATE/issues/5791 github.com: https://github.com/FederatedAI/FATE/pull/5792 github.com: https://github.com/FederatedAI/FATE/

Credits

๐Ÿ” Dem00000 (VulDB User) VulDB CNA Team