Code Injection Vulnerability in Flash-Attention Project by Unknown Vendor
CVE-2026-31254

7.3HIGH

Key Information:

Vendor: Unknown Vendor
Status: Flash-Attention Project
Vendor: CVE Published:; 11 May 2026

🔔 Create Unknown Vendor Vulnerability Alert

What is CVE-2026-31254?

The Flash-Attention project is vulnerable due to a code injection flaw in its training script. This vulnerability arises from the Python eval() function being registered as a configuration resolver, enabling the execution of arbitrary Python code through specially crafted configuration files. Attackers can exploit this vulnerability by providing a malicious configuration file, which when processed by the training script, will execute the arbitrary code, potentially compromising the system's security.

References

https://www.notion.so/CVE-2026-31254-35d1e139318881a19003...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31254 Data

JSON