PT-2026-41018 · Gradient · Gradient
CVSS v3.1
9.4
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Gradient versions prior to 1.1.1
Description
When the
GRADIENT DISCOVERABLE variable is set to true, an unauthenticated user can register as a worker by sending a new worker UUID to the /proto endpoint. This allows the user to obtain a session with PeerAuth::Open permissions, enabling them to view jobs from all organizations and upload arbitrary store paths into nar storage and the cached path table using NarPush or NarUploaded functions.Recommendations
Update to version 1.1.1.
Set the
GRADIENT DISCOVERABLE variable to false to prevent unauthorized worker registration.Exploit
Fix
Insufficient Verification of Data Authenticity
Missing Authorization
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gradient