CVE-2026-58658
8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
GPUStack through 2.2.1, fixed in commit 4e20551, contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to access sensitive inference logs and modify worker configuration by exploiting unprotected /serveLogs and /debug endpoints on the worker port. Attackers can enumerate model instance IDs to stream serving logs containing prompts and completions, change log levels, and read memory profiling data without any authentication.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| gpustack | gpustack | 0 <= 2.2.1 | affected |
| gpustack | gpustack | 4e20551b5aaf76f93a8769d32b7fef999e22a4d3 | unaffected |
Weaknesses
- CWE-306: Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
References
- https://github.com/gpustack/gpustack/issues/5836
- https://github.com/gpustack/gpustack/issues/5836
- https://github.com/gpustack/gpustack/commit/4e20551b5aaf76f93a8769d32b7fef999e22a4d3
- https://www.vulncheck.com/advisories/gpustack-unauthenticated-information-disclosure-via-worker-endpoints
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.