CVE-2026-24209 Overview
CVE-2026-24209 is a path traversal vulnerability in NVIDIA Triton Inference Server. A remote attacker can supply crafted input that escapes the intended directory boundary using traversal sequences such as ../. Successful exploitation can trigger a denial-of-service condition against the inference server.
The flaw is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory. The vulnerability is network-reachable and requires no authentication or user interaction. NVIDIA has published a security advisory tracking the issue.
Critical Impact
Unauthenticated remote attackers can disrupt availability of Triton Inference Server instances exposed on a network, halting machine learning inference workloads that production applications depend on.
Affected Products
- NVIDIA Triton Inference Server (versions identified in NVIDIA Security Bulletin ID 5828)
- Deployments running on Linux kernel-based hosts
- Containerized Triton workloads exposed via network endpoints
Discovery Timeline
- 2026-05-20 - CVE CVE-2026-24209 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-24209
Vulnerability Analysis
NVIDIA Triton Inference Server is an open-source platform that serves machine learning models from frameworks such as TensorFlow, PyTorch, ONNX, and TensorRT. The server exposes HTTP and gRPC endpoints that accept inference, model management, and repository operations.
The vulnerability stems from insufficient validation of pathname components processed by the server. An attacker who supplies traversal sequences can reference locations outside the intended model or resource directory. The resulting access pattern triggers an unrecoverable error condition that affects service availability.
The issue affects confidentiality and integrity minimally according to the CVSS vector, but availability impact is high. Exploitation does not require credentials, which expands the exposure surface for any Triton instance reachable from untrusted networks.
Root Cause
The root cause is improper sanitization of pathname input as described by CWE-22. Triton accepts path data without fully canonicalizing the resolved location against an allowed base directory. Traversal sequences pass validation and reach lower-level file or resource handling logic.
Attack Vector
An unauthenticated remote attacker sends a malformed request to a network-exposed Triton endpoint. The request contains path components that resolve outside the model repository. The server processes the request and enters a fault state that interrupts inference services for legitimate clients. Refer to the NVIDIA security advisory for full technical guidance.
Detection Methods for CVE-2026-24209
Indicators of Compromise
- HTTP or gRPC requests to Triton endpoints containing ../, ..\, or URL-encoded equivalents such as %2e%2e%2f in path or model name fields
- Unexpected restarts, crashes, or hangs of the tritonserver process and associated container exits
- Spikes in 5xx responses or gRPC UNAVAILABLE status codes from Triton clients
Detection Strategies
- Inspect web application firewall and reverse proxy logs for traversal patterns directed at Triton HTTP ports (default 8000) and gRPC ports (default 8001)
- Correlate Triton service crash events with preceding inbound requests targeting /v2/models/, /v2/repository/, or similar paths
- Apply CWE-22-aligned signatures in intrusion detection systems to flag encoded traversal sequences
Monitoring Recommendations
- Forward Triton access logs, container runtime events, and host telemetry into a centralized analytics platform for correlation
- Alert on repeated client errors followed by service unavailability from the same source IP
- Track model repository file access patterns and flag references to paths outside the configured --model-repository directory
How to Mitigate CVE-2026-24209
Immediate Actions Required
- Apply the fixed Triton Inference Server release referenced in NVIDIA Security Bulletin 5828
- Restrict network exposure of Triton HTTP and gRPC ports to trusted client subnets only
- Place Triton behind an authenticating reverse proxy that filters traversal sequences from request paths and parameters
Patch Information
NVIDIA has published remediation guidance in NVIDIA Support Answer 5828. Operators should upgrade to the patched Triton Inference Server build identified in that advisory. Additional record details are available at the NVD entry for CVE-2026-24209 and the CVE.org record.
Workarounds
- Deploy Triton inside an isolated network segment and require mutual TLS or VPN access for clients
- Configure an upstream proxy rule to reject requests whose decoded paths contain .. segments before they reach Triton
- Run the tritonserver process under a least-privileged service account inside a container with a read-only model repository mount
# Example NGINX rule to block path traversal attempts before they reach Triton
location / {
if ($request_uri ~* "(\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)") {
return 400;
}
proxy_pass http://triton_upstream:8000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
