CRITICAL
ModelTC
CVE published 2026-02-17
CVE-2026-26220
CVE-2026-26220 is a critical vulnerability in LightLLM version 1.1.0 and prior. The vulnerability allows unauthenticated remote code execution in PD disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achie [truncated]