CVE-2026-13482

Summary

A vulnerability was detected in skypilot-org skypilot up to 0.12.0. Impacted is the function username.encode of the file sky/users/server.py of the component User ID Handler. The manipulation results in use of weak hash. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure.

Affected Software

VendorProductVersion RangeStatus
skypilot-orgskypilot0.1affected
skypilot-orgskypilot0.2affected
skypilot-orgskypilot0.3affected
skypilot-orgskypilot0.4affected
skypilot-orgskypilot0.5affected
skypilot-orgskypilot0.6affected
skypilot-orgskypilot0.7affected
skypilot-orgskypilot0.8affected
skypilot-orgskypilot0.9affected
skypilot-orgskypilot0.10affected
skypilot-orgskypilot0.11affected
skypilot-orgskypilot0.12.0affected

Weaknesses

  • CWE-328: Use of Weak Hash
  • CWE-327: Risky Cryptographic Algorithm

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References