## https://sploitus.com/exploit?id=BECF4517-38B6-5DC3-97A0-FDF34F1763C0
# CVE-2026-24207 / 24206 โ NVIDIA Triton Inference Server SageMaker & Vertex AI auth bypass
> Unauthenticated attackers can reach the model-management surface of
> NVIDIA Triton Inference Server on the SageMaker and Vertex AI HTTP
> ports โ bypassing the operator's `--http-restricted-api` configuration.
> Combined with the SageMaker MME LOAD primitive and a Python-backend
> model, this enables **pre-auth remote code execution** as the Triton
> process user when the attacker can place model files on a
> Triton-readable filesystem path.
- **CVE:** [CVE-2026-24207](https://nvd.nist.gov/vuln/detail/CVE-2026-24207) (SageMaker) ยท [CVE-2026-24206](https://nvd.nist.gov/vuln/detail/CVE-2026-24206) (Vertex AI)
- **CWE-288** โ Authentication Bypass Using an Alternate Path or Channel
- **CVSS 9.8 (NIST) / 7.3 (NVIDIA CNA)**
- **Vendor:** NVIDIA Corporation ยท **Product:** Triton Inference Server
- **Write-up:** [offseckit.com/blog/cve-2026-24207](https://offseckit.com/blog/cve-2026-24207)
## Affected versions
| Component | Vulnerable | Fixed |
|---|---|---|
| NVIDIA Triton Inference Server | โค 26.02 (v2.66.0) | 26.03 (v2.67.0) |
## Quick start
### Check if a device is patched (defenders)
```bash
python3 detect.py
```
Sends one read-only GET. Prints `PATCHED`, `VULNERABLE`, or `UNKNOWN`.
Makes no changes.
### Understand the bypass (researchers)
```bash
python3 bypass_demo.py
```
Sends three probes โ health (always succeeds), `/models` WITH the
configured auth header (authorized baseline), and `/models` WITHOUT
the header (the bypass). Side-by-side response codes show the
behavior difference. No state change. See
[`docs/root-cause.md`](docs/root-cause.md).
### Demonstrate impact (authorized testing only)
```bash
# Probe the model-management surface (enumerate + LOAD attempt + UNLOAD attempt)
python3 exploit.py
# Full RCE chain โ point Triton at a path you control on its filesystem
python3 exploit.py --mode rce \
--url /opt/ml/models/ \
--name chaindemo
```
The `--mode rce` flow loads a Python-backend model from a
user-supplied path. If the directory contains a valid `config.pbtxt`
+ `model.py` (see [`example/`](example/) for a benign demo), the
`model.py` executes as the Triton process user โ pre-auth.
See [`docs/rce-chain.md`](docs/rce-chain.md) for the chain mechanics
and prerequisites.
## Files
| File | Purpose |
|-----------------------------------|--------------------------------------------------|
| `detect.py` | Non-destructive patch-status check |
| `bypass_demo.py` | Educational side-by-side of the bypass mechanic |
| `exploit.py` | Model-management probe + RCE chain demonstration |
| `example/` | Benign Python-backend model for the RCE demo |
| `detection/triton-access.md` | Detection guidance (version fingerprint + log signatures) |
| `detection/suricata.rules` | Network IDS rule |
| `docs/root-cause.md` | Short root-cause explainer |
| `docs/patch-diff.md` | The fix, in one diff |
| `docs/rce-chain.md` | The unauth-RCE chain via Python backend |
## Requirements
Python 3.8+ and `requests`:
```bash
pip install requests
```
## Authorized use only
This is security research. Only use against systems you own or have
explicit written permission to test. Unauthorized access to inference
servers is illegal in most jurisdictions. The RCE chain requires the
attacker to be able to place files on the target's filesystem; this
prerequisite limits real-world exploitability but does not eliminate
the underlying vulnerability.
## Credits
Independent post-patch analysis and PoC by **4252nez** โ write-up on
[OffSecKit](https://offseckit.com).
## License
MIT โ see [LICENSE](LICENSE).