CVE-2026-31220: PySyft Remote Code Execution Vulnerability

CVE-2026-31220 Overview

CVE-2026-31220 is a remote code execution flaw in PySyft (Syft Datasite/Server) versions 0.9.5 and earlier. The platform exposes a @sy.syft_function() decorator that lets low-privileged users submit Python code for remote execution on the server. An approval workflow exists, but it performs no security checks against dangerous operations such as file access or command execution. Once approved, the code runs inside the server process through exec() and eval() with no sandboxing or isolation. An attacker who passes the approval step, or who can influence an approver, executes arbitrary Python on the host. The result is full compromise of the Syft server environment [CWE-94].

Critical Impact

Network-reachable attackers can execute arbitrary Python on PySyft Datasite servers running version 0.9.5 or earlier, yielding complete confidentiality, integrity, and availability loss.

Affected Products

• OpenMined PySyft (Syft Datasite/Server) version 0.9.5
• OpenMined PySyft (Syft Datasite/Server) versions earlier than 0.9.5
• Deployments exposing the @sy.syft_function() submission and approval workflow

Discovery Timeline

• 2026-05-12 - CVE-2026-31220 published to NVD
• 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2026-31220

Vulnerability Analysis

PySyft implements federated and privacy-preserving computation by letting data scientists submit Python functions to remote Datasite servers. Users register functions through the @sy.syft_function() decorator, and a data owner approves or rejects the submitted code. The approval gate is a process control, not a technical sandbox. Submitted code is stored, then handed to exec() and eval() inside the server process when invoked. There is no abstract syntax tree review, no import allow-list, and no operating system isolation. Any approved function can call os.system, open arbitrary files, import subprocess, or load native libraries. The server process therefore inherits the privileges of whatever account runs the Datasite, often a service account with broad filesystem and network reach.

Root Cause

The root cause is improper control of generation of code [CWE-94]. PySyft trusts the approval workflow to substitute for runtime isolation. Because approvers cannot reliably reason about every Python construct, malicious payloads pass review when they are obfuscated or hidden inside otherwise benign analytics code.

Attack Vector

The attack vector is network-based and requires no authentication beyond the standard low-privileged user role that the platform grants. An attacker registers as a data scientist, submits a @sy.syft_function() containing arbitrary Python, and waits for approval. Once executed, the payload runs in the server process and can read datasets, exfiltrate credentials, pivot to backend services, or persist on the host.

The vulnerability is exercised by submitting Python code through the
standard @sy.syft_function() decorator. No verified proof-of-concept
code has been published. See the OpenMined PySyft repository for
technical references: https://github.com/OpenMined/PySyft

Detection Methods for CVE-2026-31220

Indicators of Compromise

• Syft server processes spawning child processes such as sh, bash, python -c, curl, or wget outside of normal operator activity.
• Outbound network connections from the Datasite host to unfamiliar IPs or domains immediately after a function approval event.
• Unexpected reads of /etc/shadow, cloud metadata endpoints, or credential files by the Syft server process.
• Syft audit log entries showing approved functions that import os, subprocess, socket, ctypes, or builtins.__import__.

Detection Strategies

• Inspect stored function bodies in the Datasite database for dangerous identifiers including exec, eval, compile, __import__, subprocess, and os.system before approval.
• Hunt for process trees where the PySyft server process is the parent of shell, scripting, or network utilities.
• Correlate function-approval timestamps with anomalous filesystem and network telemetry on the Datasite host.

Monitoring Recommendations

• Enable verbose audit logging for the PySyft approval workflow and forward events to a centralized log store.
• Monitor egress traffic from Datasite hosts and alert on connections to non-allow-listed destinations.
• Track file integrity for PySyft installation directories, Python site-packages, and user home directories on the server.

How to Mitigate CVE-2026-31220

Immediate Actions Required

• Restrict network access to PySyft Datasite servers so that only trusted users can reach the submission endpoint.
• Suspend the function approval workflow until reviewers can perform manual code inspection of every submission.
• Rotate credentials, API tokens, and signing keys accessible from the Syft server process if compromise is suspected.
• Run the Datasite under a dedicated low-privilege account with no access to secrets or production data stores.

Patch Information

No fixed version is identified in the NVD record at the time of publication. Track the OpenMined PySyft repository for releases beyond 0.9.5 and review release notes for fixes addressing CVE-2026-31220 before upgrading.

Workarounds

• Execute submitted @sy.syft_function() code inside a hardened sandbox such as a per-request container, gVisor, or a seccomp-restricted process with no network egress.
• Apply an allow-list of Python modules and reject submissions that reference os, subprocess, socket, ctypes, or dynamic import primitives.
• Require multi-reviewer approval and static analysis of every submitted function before it is permitted to execute.
• Disable the function submission feature entirely on Datasites that do not require it.

# Example: run the Datasite under an unprivileged user with no shell
sudo useradd --system --shell /usr/sbin/nologin syft
sudo -u syft python -m syft.server --host 127.0.0.1 --port 8080

# Restrict inbound access at the host firewall
sudo iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP