CVE-2026-13482
6.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Summary
A vulnerability was detected in skypilot-org skypilot up to 0.12.0. Impacted is the function username.encode of the file sky/users/server.py of the component User ID Handler. The manipulation results in use of weak hash. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| skypilot-org | skypilot | 0.1 | affected |
| skypilot-org | skypilot | 0.2 | affected |
| skypilot-org | skypilot | 0.3 | affected |
| skypilot-org | skypilot | 0.4 | affected |
| skypilot-org | skypilot | 0.5 | affected |
| skypilot-org | skypilot | 0.6 | affected |
| skypilot-org | skypilot | 0.7 | affected |
| skypilot-org | skypilot | 0.8 | affected |
| skypilot-org | skypilot | 0.9 | affected |
| skypilot-org | skypilot | 0.10 | affected |
| skypilot-org | skypilot | 0.11 | affected |
| skypilot-org | skypilot | 0.12.0 | affected |
Weaknesses
- CWE-328: Use of Weak Hash
- CWE-327: Risky Cryptographic Algorithm
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://vuldb.com/vuln/374479
- https://vuldb.com/vuln/374479/cti
- https://vuldb.com/cve/CVE-2026-13482
- https://vuldb.com/submit/789927
- https://github.com/skypilot-org/skypilot/issues/9194
- https://github.com/skypilot-org/skypilot/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.