Gradient CI/CD System Critical Vulnerability Allows Unauthenticated Worker Registration

/CRITICAL /CVSS 9.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-306cwe-345cwe-862
Gradient CI/CD System Critical Vulnerability Allows Unauthenticated Worker Registration

The National Vulnerability Database (NVD) has disclosed CVE-2026-44592, a critical vulnerability in Gradient, a Nix-based continuous integration system. This flaw, rated 9.4 CVSS, allows unauthenticated attackers to register as workers when the GRADIENT_DISCOVERABLE flag is set to true – which is the default configuration, including for the NixOS module. Attackers only need to send a fresh, unregistered worker UUID to the /proto endpoint.

Once registered, these rogue workers gain PeerAuth::Open privileges. This means they can access jobs from all organizations within the Gradient environment. Critically, they can immediately NarPush/NarUploaded arbitrary store paths into nar_storage and the cached_path table. This is a supply chain nightmare, enabling arbitrary code injection and data exfiltration within the CI/CD pipeline.

The vulnerability is fixed in Gradient version 1.1.1. Any organization leveraging Gradient for their CI/CD processes, especially with the default discoverable setting, must prioritize upgrading immediately. Failure to do so leaves their entire software supply chain exposed to unauthenticated compromise and malicious code injection.

What This Means For You

  • If your organization uses Gradient for CI/CD, you are critically exposed. This isn't just a theoretical vulnerability; it's an unauthenticated path to inject malicious code directly into your build and deployment pipelines. Check your Gradient version immediately and upgrade to 1.1.1 or later. If you cannot upgrade, disable `GRADIENT_DISCOVERABLE` and implement strict network segmentation to block access to the `/proto` endpoint from untrusted networks.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Initial Access T1505.003 Exploitation for Client Execution Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-44592 - Unauthenticated Gradient Worker Registration

Sigma YAML — free preview 
title: CVE-2026-44592 - Unauthenticated Gradient Worker Registration
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects unauthenticated access to the /proto endpoint in Gradient CI/CD system (versions prior to 1.1.1) which allows for worker registration without credentials. This is the primary vector for exploitation of CVE-2026-44592, enabling attackers to register as workers and gain unauthorized access.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44592/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/proto'
      cs-method|exact:
          - 'POST'
      sc-status|exact:
          - '200'
  selection_base:
      field: 'sc-status'
      value: '200'
  selection_indicators:
      cs-uri|contains:
          - '/proto'
      cs-method|exact:
          - 'POST'
  condition: selection_base AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44592 Vulnerability CVE-2026-44592

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the...

vulnerabilityCVEmedium-severitycwe-674
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 4 Sigma

CVE-2026-45248 — The GET /Api/V1/Demo/Registered-Users Endpoint That Authentication Bypass

CVE-2026-45248 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information....

vulnerabilityCVEmedium-severityauthentication-bypasscwe-306
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

ZITADEL LDAP Filter Injection Exposes Usernames, Attributes

CVE-2026-44671 — ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity...

vulnerabilityCVEhigh-severityauthentication-bypasscwe-90
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma