CVE-2026-44484

Name of the Vulnerable Software and Affected Versions PyTorch Lightning versions 2.6.2 through 2.6.3

Description PyTorch Lightning, a deep learning framework used to pretrain and finetune AI models, contains compromised versions that include malicious code. This code introduces functionality consistent with a credential harvesting mechanism, which is designed to collect sensitive information such as passwords or API keys.

Recommendations Pin PyTorch Lightning to version 2.6.1 for versions 2.6.2 through 2.6.3. Immediately rotate all potentially exposed credentials and secrets, including API keys, access tokens, SSH keys, and service account credentials. Rebuild affected systems from a known clean state. Review logs for any suspicious or unauthorized activity.