CVE-2026-9142 NI CVE debrief

Who should care

Organizations using NI grpc-device, especially those with servers bound beyond loopback without TLS configuration, should be concerned. This vulnerability could allow unauthorized access on the local network.

Technical summary

The vulnerability exists in NI grpc-device when TLS configuration is not present. If the server is bound beyond loopback, an unauthenticated user could access the server on the local network. The affected versions are 2.17.0 and prior. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a critical severity.

Defensive priority

High priority due to high CVSS score and potential for unauthorized access

Recommended defensive actions

• Inventory NI grpc-device installations to identify potential exposure
• Review and apply TLS configuration for grpc-device servers
• Limit server bindings to loopback where possible
• Upgrade to a version of NI grpc-device that is not vulnerable
• Monitor for unauthorized access attempts on the local network

Evidence notes

The primary evidence comes from the CVE record and NVD detail. The vulnerability affects NI grpc-device versions 2.17.0 and prior. Defenders should verify their grpc-device configurations and versions against official documentation.

Official resources