PatchSiren cyber security CVE debrief
CVE-2026-14621 FederatedAI CVE debrief
CVE-2026-14621 is a vulnerability found in FederatedAI FATE up to version 2.2.0. This vulnerability affects the OSX Broker component, specifically the QueuePushReqStreamObserver.initEggroll function in the java/osx/osx-broker/src/main/java/org/fedai/osx/broker/grpc/QueuePushReqStreamObserver.java file. The manipulation of certain arguments, including rollSiteSessionId, dstRole, and dstPartyId, can lead to the exposure of data elements to the wrong session. The attack can be executed remotely and has a high complexity level, making its exploitability difficult. The exploit has been disclosed to the public and may be used. A pull request to fix this issue is awaiting acceptance.
- Vendor
- FederatedAI
- Product
- FATE
- CVSS
- LOW 1.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-04
- Original CVE updated
- 2026-07-04
- Advisory published
- 2026-07-04
- Advisory updated
- 2026-07-04
Who should care
Security teams and administrators responsible for FederatedAI FATE installations should be aware of this vulnerability. Given the low CVSS score of 1.3 and the high complexity of the attack, it may not be a high priority for immediate action, but it should be reviewed and addressed in the context of overall system security.
Technical summary
The vulnerability is located in the QueuePushReqStreamObserver.initEggroll function of the OSX Broker component in FederatedAI FATE up to version 2.2.0. It allows for the exposure of data elements to the wrong session due to improper handling of certain arguments. The vulnerability has a CVSS score of 1.3, indicating a low severity. The attack vector is network-based, and the attack complexity is high, making it difficult to exploit.
Defensive priority
Given the low CVSS score and high complexity of exploitation, this vulnerability may not be a critical priority for immediate remediation. However, it should be reviewed and addressed as part of regular security maintenance to ensure the overall security posture of FederatedAI FATE installations.
Recommended defensive actions
- Review and apply the pending pull request to fix the vulnerability.
- Ensure that the FederatedAI FATE installation is up to date with the latest security patches.
- Monitor system logs for any suspicious activity related to the OSX Broker component.
- Consider implementing additional security controls to mitigate potential impacts of this vulnerability.
- Perform a thorough risk assessment to determine the relevance and potential impact of this vulnerability on specific environments.
Evidence notes
The CVE-2026-14621 vulnerability was identified in FederatedAI FATE up to version 2.2.0. The vulnerability affects the OSX Broker component and has a CVSS score of 1.3. The exploit has been disclosed publicly, and a fix is pending acceptance. The primary source of this information is the NVD database, which provides detailed records of CVEs.
Official resources
This article is AI-assisted and based on the supplied source corpus.