CVE-2026-53805: NVIDIA GEN3C Unauthenticated RCE Flaw

CVE-2026-53805 Overview

CVE-2026-53805 is an unauthenticated remote code execution vulnerability in NVIDIA Spatial Intelligence Lab's (SIL) GEN3C inference API server. The /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without authentication or input validation. Attackers can submit a crafted payload containing a __reduce__ gadget to the inference API port and execute arbitrary code as the inference process. The flaw is classified under [CWE-502] Deserialization of Untrusted Data.

Critical Impact
Network-reachable, unauthenticated attackers can execute arbitrary code on GEN3C inference servers, gaining control of GPU-backed AI workloads and any data they process.

Affected Products

NVIDIA Spatial Intelligence Lab (SIL) GEN3C
GEN3C inference API server (/request-inference endpoint)
GEN3C inference API server (/seed-model endpoint)

Discovery Timeline

2026-06-17 - CVE-2026-53805 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-53805

Vulnerability Analysis

GEN3C exposes an HTTP inference API used to drive 3D generative model workloads. Two endpoints, /request-inference and /seed-model, read the raw HTTP request body and pass it directly to Python's pickle.loads(). The pickle module is documented as unsafe for untrusted input because deserialization can invoke arbitrary callables defined by the serialized object. No authentication, signing, or schema validation gates the endpoints, so any client able to reach the API port can trigger deserialization. Successful exploitation yields code execution under the privileges of the inference process, which typically holds access to model weights, training data, and GPU resources.

Root Cause

The root cause is unsafe deserialization of attacker-controlled bytes [CWE-502]. Python's pickle format permits objects to define a __reduce__ method that returns a callable and arguments used during reconstruction. When pickle.loads() processes such an object, it invokes the callable with attacker-supplied arguments. Combined with the absence of authentication on the affected endpoints, this turns a single HTTP POST into arbitrary code execution.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker sends an HTTP POST to /request-inference or /seed-model containing a serialized Python object whose __reduce__ method invokes a shell command, spawns a reverse shell, or imports additional payloads. The inference server deserializes the body, executes the gadget, and returns control to the attacker. Refer to the VulnCheck Advisory on RCE for further technical analysis. No verified exploit code is published in the enriched dataset, so a synthetic payload is not reproduced here.

Detection Methods for CVE-2026-53805

Indicators of Compromise

HTTP POST requests to /request-inference or /seed-model with Content-Type headers other than expected JSON, or with binary bodies beginning with the pickle protocol marker bytes (0x80 0x04 or 0x80 0x05).
Child processes of the GEN3C inference server spawning shells (/bin/sh, /bin/bash), python -c one-liners, or network utilities such as curl, wget, or nc.
Outbound connections from the GEN3C host to previously unseen IP addresses shortly after inbound requests to the inference API port.

Detection Strategies

Inspect application logs for requests to /request-inference and /seed-model and alert on bodies that fail JSON parsing or contain pickle opcodes.
Hunt for unexpected process lineage where the inference server's Python interpreter is the parent of shell or interpreter processes.
Correlate inbound HTTP requests to the inference port with subsequent file writes outside the model cache directory.

Monitoring Recommendations

Forward GEN3C application logs, host process telemetry, and network flow data into a centralized analytics platform for correlation.
Baseline normal inference workload behavior, including expected child processes and outbound destinations, and alert on deviations.
Apply MITRE ATT&CK mappings for T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter) to inference workload telemetry.

How to Mitigate CVE-2026-53805

Immediate Actions Required

Restrict network access to the GEN3C inference API so only trusted client systems can reach /request-inference and /seed-model.
Update GEN3C to a revision that includes the upstream fix from GitHub Pull Request #62, GitHub Pull Request #63, and the GitHub Commit Update.
Audit GEN3C hosts for signs of prior exploitation, including unexpected processes, persistence mechanisms, and outbound connections.

Patch Information

The upstream maintainers addressed the deserialization flaw in commit db2ffe12ced12ddafcec5e0422ee46ce8520746b and the associated pull requests #62 and #63. Deploy a build that includes these changes and confirm that the affected endpoints no longer invoke pickle.loads() on raw HTTP bodies.

Workarounds

Place the GEN3C inference API behind an authenticating reverse proxy and require mutual TLS or signed tokens before requests reach the application.
Bind the inference server to a loopback interface or private network segment and disallow direct internet exposure.
Run the inference process under a least-privilege account inside a container with read-only filesystem, no outbound network egress, and seccomp restrictions on execve to limit post-exploitation impact.

bash

# Example: restrict inference API to localhost and front with an authenticated proxy
# 1. Bind GEN3C to loopback only (illustrative)
export GEN3C_BIND_ADDR=127.0.0.1
export GEN3C_BIND_PORT=8000

# 2. Block external access to the inference port at the host firewall
sudo iptables -A INPUT -p tcp --dport 8000 ! -i lo -j DROP

# 3. Require authentication via reverse proxy (nginx snippet)
# location /request-inference { auth_request /authz; proxy_pass http://127.0.0.1:8000; }
# location /seed-model        { auth_request /authz; proxy_pass http://127.0.0.1:8000; }