CVE-2026-26220
📋 TL;DR
LightLLM versions 1.1.0 and earlier contain an unauthenticated remote code execution vulnerability in PD disaggregation mode. Attackers can send malicious pickle payloads via WebSocket to the PD master node to execute arbitrary code. Organizations running LightLLM with PD mode enabled are affected.
💻 Affected Systems
- LightLLM
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Unauthorized code execution leading to data exfiltration, service disruption, or cryptocurrency mining.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent access to vulnerable endpoints.
🎯 Exploit Status
Exploit requires sending crafted pickle payload via WebSocket to vulnerable endpoints. Public technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Monitor LightLLM GitHub repository for security updates. 2. Apply patch when available. 3. Restart LightLLM services after patching.
🔧 Temporary Workarounds
Disable PD Mode
allDisable prefill-decode disaggregation mode if not required.
Modify LightLLM configuration to disable PD mode
Network Access Control
allRestrict network access to PD master node WebSocket endpoints.
Configure firewall rules to block external access to PD master ports
Use network segmentation to isolate PD master
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PD master from untrusted networks
- Add authentication layer before pickle.loads() calls in the WebSocket handlers
🔍 How to Verify
Check if Vulnerable:
Check if LightLLM version is 1.1.0 or earlier and PD mode is enabled with PD master accessible.Check Version:
Check LightLLM version in configuration or via package manager (e.g., pip show lightllm)Verify Fix Applied:
Verify LightLLM version is updated beyond 1.1.0 and PD master endpoints no longer accept unauthenticated pickle payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual WebSocket connections to PD master
- Pickle deserialization errors
- Unexpected process execution
Network Indicators:
- WebSocket traffic to PD master port with binary frames
- Outbound connections from PD master to unexpected destinations
SIEM Query:
websocket AND (pickle OR deserialization) AND pd_master🔗 References
- https://chocapikk.com/posts/2026/lightllm-pickle-rce/
- https://github.com/ModelTC/LightLLM/issues/1213
- https://github.com/ModelTC/lightllm/blob/a27dfc88c2144ed51a6e160b6fbe20aad66c8fe0/lightllm/server/api_http.py#L310
- https://github.com/ModelTC/lightllm/blob/a27dfc88c2144ed51a6e160b6fbe20aad66c8fe0/lightllm/server/api_http.py#L331
- https://lightllm-en.readthedocs.io/en/latest/index.html
- https://www.vulncheck.com/advisories/lightllm-pd-mode-unsafe-deserialization-rce
