NVIDIA KAI Scheduler Flaw: Unauthorized API Access Poses Data Risk

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityinformation-disclosurecwe-306
NVIDIA KAI Scheduler Flaw: Unauthorized API Access Poses Data Risk

The National Vulnerability Database has disclosed CVE-2026-24177, a high-severity vulnerability (CVSS 7.7) affecting NVIDIA KAI Scheduler. This flaw, categorized as CWE-306 (Missing Authentication for Critical Function), allows an attacker to access API endpoints without proper authorization.

A successful exploit of this vulnerability could lead directly to information disclosure. The lack of authentication on critical API endpoints is a fundamental security breakdown, offering attackers a low-friction path to sensitive data. While specific affected products are not detailed by the National Vulnerability Database, organizations utilizing NVIDIA KAI Scheduler should assume exposure.

This isn’t just a theoretical bug; it’s a clear avenue for attackers to exfiltrate data. The attacker’s calculus is simple: find an unauthenticated endpoint, query it, and dump whatever information comes back. Defenders need to prioritize this. Unauthenticated access is a gift to adversaries, especially when it touches API endpoints that often handle sensitive operational or user data.

What This Means For You

  • If your organization uses NVIDIA KAI Scheduler, you need to identify all deployments immediately. Prioritize patching or implementing compensating controls to restrict access to API endpoints until a fix is available. Audit logs for any anomalous access attempts to KAI Scheduler APIs.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1526 Compromise Accounts Initial Access T1078.004 Cloud Accounts Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

NVIDIA KAI Scheduler Unauthorized API Access - CVE-2026-24177

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-24177 Vulnerability CVE-2026-24177

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 21, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-6744 — Bagisto Server-Side Request Forgery

CVE-2026-6744 — A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 2 IOCs /⚙ 3 Sigma

Kyverno Policy Engine Flaw Leaks Service Account Tokens

CVE-2026-40868 — Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer...

vulnerabilityCVEhigh-severitycwe-922
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 3 Sigma

Coturn ARM64 Crash: Unauthenticated DoS via Crafted STUN Message

CVE-2026-40613 — Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform...

vulnerabilityCVEhigh-severitycwe-704
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 1 Sigma