CVE-2026-13482 | A vulnerability was detected in skypilot-org skypilot up to … | CVSS 3.7 LOW

Description

A vulnerability was detected in skypilot-org skypilot up to 0.12.0. Impacted is the function username.encode of the file sky/users/server.py of the component User ID Handler. The manipulation results in use of weak hash. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure.

Metadata

CVE ID: CVE-2026-13482
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-27 13:54 UTC
Published: 2026-06-28 04:30 UTC
Last updated: 2026-06-28 04:30 UTC
Primary CWE: CWE-328
Use of Weak Hash
Vendor / Product: skypilot-org / skypilot
Sources: cve.org · NVD

Severity & Metrics

3.7 LOW CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

Affected products (1)

Vendor	Product	Platform	Versions
skypilot-org	skypilot	—	0.1, 0.2, 0.3, 0.4 …

Weakness (CWE)

CWE	Source	Description
CWE-327	cna	Risky Cryptographic Algorithm
CWE-328	cna	Use of Weak Hash

CVSS scores (4)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
3.7	LOW	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
3.7	LOW	3.0	cna	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
2.6	N/D	2.0	cna	AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR

References (6)

VDB-374479 | skypilot-org skypilot User ID server.py username.encode weak hash https://vuldb.com/vuln/374479
VDB-374479 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/374479/cti
CVE-2026-13482 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-13482
Submit #789927 | skypilot-org skypilot 0.12.0 Algorithm Downgrade https://vuldb.com/submit/789927
https://github.com/skypilot-org/skypilot/issues/9194
https://github.com/skypilot-org/skypilot/