PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14621 FederatedAI CVE debrief

CVE-2026-14621 is a vulnerability found in FederatedAI FATE up to version 2.2.0. This vulnerability affects the OSX Broker component, specifically the QueuePushReqStreamObserver.initEggroll function in the java/osx/osx-broker/src/main/java/org/fedai/osx/broker/grpc/QueuePushReqStreamObserver.java file. The manipulation of certain arguments, including rollSiteSessionId, dstRole, and dstPartyId, can lead to the exposure of data elements to the wrong session. The attack can be executed remotely and has a high complexity level, making its exploitability difficult. The exploit has been disclosed to the public and may be used. A pull request to fix this issue is awaiting acceptance.

Vendor
FederatedAI
Product
FATE
CVSS
LOW 1.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-04
Original CVE updated
2026-07-04
Advisory published
2026-07-04
Advisory updated
2026-07-04

Who should care

Security teams and administrators responsible for FederatedAI FATE installations should be aware of this vulnerability. Given the low CVSS score of 1.3 and the high complexity of the attack, it may not be a high priority for immediate action, but it should be reviewed and addressed in the context of overall system security.

Technical summary

The vulnerability is located in the QueuePushReqStreamObserver.initEggroll function of the OSX Broker component in FederatedAI FATE up to version 2.2.0. It allows for the exposure of data elements to the wrong session due to improper handling of certain arguments. The vulnerability has a CVSS score of 1.3, indicating a low severity. The attack vector is network-based, and the attack complexity is high, making it difficult to exploit.

Defensive priority

Given the low CVSS score and high complexity of exploitation, this vulnerability may not be a critical priority for immediate remediation. However, it should be reviewed and addressed as part of regular security maintenance to ensure the overall security posture of FederatedAI FATE installations.

Recommended defensive actions

  • Review and apply the pending pull request to fix the vulnerability.
  • Ensure that the FederatedAI FATE installation is up to date with the latest security patches.
  • Monitor system logs for any suspicious activity related to the OSX Broker component.
  • Consider implementing additional security controls to mitigate potential impacts of this vulnerability.
  • Perform a thorough risk assessment to determine the relevance and potential impact of this vulnerability on specific environments.

Evidence notes

The CVE-2026-14621 vulnerability was identified in FederatedAI FATE up to version 2.2.0. The vulnerability affects the OSX Broker component and has a CVSS score of 1.3. The exploit has been disclosed publicly, and a fix is pending acceptance. The primary source of this information is the NVD database, which provides detailed records of CVEs.

Official resources

This article is AI-assisted and based on the supplied source corpus.