CVE-2026-4851

Name of the Vulnerable Software and Affected Versions GRID::Machine versions through 0.127

Description GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. A compromised or malicious remote host can execute arbitrary code on the client through unsafe deserialization in the RPC protocol. The read operation() function in lib/GRID/Machine/Message.pm deserializes values from the remote side using eval(). The variable $arg receives raw bytes from the protocol pipe, allowing a compromised remote host to embed arbitrary Perl code in the Dumper-formatted response, which is then executed on the client with every RPC call. The trust requirement for the remote host is not documented. The API endpoint is not explicitly mentioned. The vulnerable parameter is $arg.

Recommendations Versions prior to 0.128 should be considered vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.