CVE-2026-31220

Name of the Vulnerable Software and Affected Versions PySyft (Syft Datasite/Server) versions prior to 0.9.6

Description Insufficient validation and sandboxing of user-submitted code allow remote code execution. Low-privileged users can submit Python functions via @sy.syft function() for remote execution on the server. Although a code approval mechanism is present, the submitted code is not checked for dangerous operations such as file access or command execution. Once approved, the code is executed within the server process using exec() and eval() functions without proper isolation, enabling a remote attacker to execute arbitrary Python code and completely compromise the server environment.

Recommendations Update to a version later than 0.9.5. As a temporary workaround, restrict the use of the @sy.syft function() function to trusted users only.