External risk intelligence

OmniGen2-RL Reward Server Unauthenticated Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-25873

The vulnerability exists in a reward server component that accepts HTTP POST requests. As a network-accessible service designed to receive and process remote requests, it functions as an API or edge service. Such components are commonly deployed to be externally reachable in modern AI training or application environments, making them likely to be exposed to the internet.

Deserialization

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the OmniGen2-RL reward server allows attackers to execute commands remotely by sending specially crafted requests. This issue stems from the way the system handles data deserialization, potentially enabling unauthorized control over the host system. The main concern is confirming if our environment utilizes this specific technology and is exposed to this threat.

  • Unauthenticated remote code execution flaw.
  • Critical for systems using OmniGen2-RL reward server.
  • Verify usage and exposure to this risk.

Attack Path

How an attacker could exploit the issue

An attacker can initiate an attack by sending specially crafted HTTP POST requests to the reward server component of OmniGen2-RL. This server is accessible remotely and does not require authentication. By exploiting an insecure deserialization vulnerability related to pickle, the attacker can execute arbitrary commands on the host system running the service.

  • Unauthenticated remote access required.
  • Malicious HTTP POST request triggers deserialization.
  • Arbitrary command execution on host system.

Live Threat

Current exploitation, exposure, and threat context

The reward server component of OmniGen2-RL could be exploited by remote attackers to execute arbitrary commands. This could occur when the server processes malicious HTTP POST requests, leading to code execution on the host system through insecure deserialization of request bodies.

  • Host system command execution at risk.
  • Malicious HTTP POST requests could trigger it.
  • Compromised host system and service.

Operational Fix

Recommended remediation, mitigation, and detection steps

The OmniGen2-RL reward server's unauthenticated remote code execution vulnerability necessitates swift action from infrastructure and security teams. The first practical step involves identifying all instances of the affected reward server, confirming its network reachability and business criticality, and then pinpointing the accountable system owner to formulate a risk-based remediation plan.

  • Infrastructure and Security teams own the issue.
  • Verify network exposure and criticality first.
  • Plan remediation based on verified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OmniGen2-RL?

OmniGen2-RL is a framework used in machine learning research, specifically involving reinforcement learning workflows. The reward server component is a modular service within this framework designed to ingest feedback data, often functioning as an API endpoint to facilitate communication between training environments and the model’s reward mechanisms.

How does CVE-2026-25873 cause code execution?

This vulnerability is classified as CWE-502, which concerns insecure deserialization. The reward server uses Python's 'pickle' module to reconstruct objects from HTTP POST requests without validating the input. An attacker can craft a malicious, serialized object that, when unpacked by the server, forces the host machine to execute arbitrary commands.

What triggers this vulnerability?

The vulnerability is triggered when the reward server receives a specially crafted HTTP POST request containing malicious serialized data. It is important to note that legitimate traffic that does not utilize the specific pickle-based deserialization process is not the mechanism of attack; rather, the flaw lies in the server's blind acceptance and processing of untrusted serialized request bodies.

Is my OmniGen2-RL instance at risk?

Halo Surface Signal indicates that because the reward server acts as a network-accessible API, it is likely to be reachable from the internet, increasing the likelihood of exposure. You should verify if your specific implementation of the reward server is configured to accept remote traffic or if it is isolated within a restricted network environment.

What should I do first to address CVE-2026-25873?

Begin by auditing your infrastructure to locate all instances of the OmniGen2-RL reward server. Once identified, evaluate the network reachability of these components to determine if they are exposed to external connections. Finally, coordinate with your system owners to prioritize these services for protective measures based on their business criticality.

References