CVE-2026-4851 (GCVE-0-2026-4851)

Vulnerability from cvelistv5 – Published: 2026-03-29 00:22 – Updated: 2026-04-01 14:17
VLAI?
Title
GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization
Summary
GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol. read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval() $arg .= '$VAR1'; my $val = eval "no strict; $arg"; # line 40-41 $arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response: $VAR1 = do { system("..."); }; This executes on the client silently on every RPC call, as the return values remain correct. This functionality is by design but the trust requirement for the remote host is not documented in the distribution.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-502 - Deserialization of Untrusted Data
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
Impacted products
Vendor Product Version
CASIANO GRID::Machine Affected: 0 , ≤ 0.127 (custom)
Create a notification for this product.
Credits
Pied Crow crow@cpan.org
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-29T00:23:56.336Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/26/6"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4851",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T14:17:04.307893Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T14:17:48.164Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "GRID-Machine",
          "product": "GRID::Machine",
          "programFiles": [
            "lib/GRID/Machine/Message.pm"
          ],
          "programRoutines": [
            {
              "name": "GRID::Machine::read_operation()"
            }
          ],
          "vendor": "CASIANO",
          "versions": [
            {
              "lessThanOrEqual": "0.127",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pied Crow crow@cpan.org"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.\n\nGRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.\n\nread_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()\n\n  $arg .= \u0027$VAR1\u0027;\n  my $val = eval \"no strict; $arg\"; # line 40-41\n\n$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:\n\n  $VAR1 = do { system(\"...\"); };\n\nThis executes on the client silently on every RPC call, as the return values remain correct.\n\nThis functionality is by design but the trust requirement for the remote host is not documented in the distribution."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586 Object Injection"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-29T00:22:22.578Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2026/03/26/6"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-24T00:00:00.000Z",
          "value": "Vulnerability reported to module author and CPANSec"
        },
        {
          "lang": "en",
          "time": "2026-03-25T00:00:00.000Z",
          "value": "CVE assigned by CPANSec"
        },
        {
          "lang": "en",
          "time": "2026-03-26T00:00:00.000Z",
          "value": "Author confirmed module is unmaintained, no fix available"
        },
        {
          "lang": "en",
          "time": "2026-03-26T00:00:00.000Z",
          "value": "Disclosed on oss-security mailing list"
        }
      ],
      "title": "GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization",
      "workarounds": [
        {
          "lang": "en",
          "value": "There is no fix available. If used, only connect to trusted remote hosts."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-4851",
    "datePublished": "2026-03-29T00:22:22.578Z",
    "dateReserved": "2026-03-25T14:56:47.454Z",
    "dateUpdated": "2026-04-01T14:17:48.164Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-4851\",\"sourceIdentifier\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"published\":\"2026-03-29T01:15:56.967\",\"lastModified\":\"2026-04-01T15:23:23.980\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.\\n\\nGRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.\\n\\nread_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()\\n\\n  $arg .= \u0027$VAR1\u0027;\\n  my $val = eval \\\"no strict; $arg\\\"; # line 40-41\\n\\n$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:\\n\\n  $VAR1 = do { system(\\\"...\\\"); };\\n\\nThis executes on the client silently on every RPC call, as the return values remain correct.\\n\\nThis functionality is by design but the trust requirement for the remote host is not documented in the distribution.\"},{\"lang\":\"es\",\"value\":\"Las versiones de GRID::Machine hasta la 0.127 para Perl permiten ejecuci\u00f3n de c\u00f3digo arbitrario a trav\u00e9s de deserializaci\u00f3n insegura.\\n\\nGRID::Machine proporciona Llamadas a Procedimientos Remotos (RPC) sobre SSH para Perl. El cliente se conecta a hosts remotos para ejecutar c\u00f3digo en ellos. Un host remoto comprometido o malicioso puede ejecutar c\u00f3digo arbitrario de vuelta en el cliente a trav\u00e9s de deserializaci\u00f3n insegura en el protocolo RPC.\\n\\nread_operation() en lib/GRID/Machine/Message.pm deserializa valores del lado remoto usando eval()\\n\\n  $arg .= \u0027$VAR1\u0027;\\n  my $val = eval \\\"no strict; $arg\\\"; # l\u00ednea 40-41\\n\\n$arg son bytes en bruto de la tuber\u00eda del protocolo. Un host remoto comprometido puede incrustar Perl arbitrario en la respuesta con formato Dumper:\\n\\n  $VAR1 = do { system(\\\"...\\\"); };\\n\\nEsto se ejecuta en el cliente silenciosamente en cada llamada RPC, ya que los valores de retorno permanecen correctos.\\n\\nEsta funcionalidad es intencional, pero el requisito de confianza para el host remoto no est\u00e1 documentado en la distribuci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-95\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:casiano:grid\\\\:\\\\:machine:*:*:*:*:*:perl:*:*\",\"versionEndIncluding\":\"0.127\",\"matchCriteriaId\":\"B3148991-8DC2-4D2F-8EC2-0DCB0E5B6A63\"}]}]}],\"references\":[{\"url\":\"https://www.openwall.com/lists/oss-security/2026/03/26/6\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/26/6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.