Back to overview

CVE-2026-58658

HIGH Exploitation: PoC
8.2
CVSS 3.1
Description
GPUStack through 2.2.1, fixed in commit 4e20551, contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to access sensitive inference logs and modify worker configuration by exploiting unprotected /serveLogs and /debug endpoints on the worker port. Attackers can enumerate model instance IDs to stream serving logs containing prompts and completions, change log levels, and read memory profiling data without any authentication.

Metadata

CVE ID
CVE-2026-58658
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-01 21:54 UTC
Published
2026-07-15 17:00 UTC
Last updated
2026-07-15 18:12 UTC
Primary CWE
CWE-306
Missing Authentication for Critical Function
Vendor / Product
gpustack / gpustack
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
gpustack gpustack 0 ≤ 2.2.1, 4e20551b5aaf76f93a8769d32b7fef999e22a4d3
Weakness (CWE)
CWESourceDescription
CWE-306 cna Missing Authentication for Critical Function
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.8 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
8.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Back to overview