CVE-2026-58658

Source
https://cve.org/CVERecord?id=CVE-2026-58658
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58658.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58658
Published
2026-07-15T17:00:30.407Z
Modified
2026-07-17T03:47:39.140748427Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
GPUStack Unauthenticated Information Disclosure via Worker Endpoints
Details

GPUStack through 2.2.1, fixed in commit 4e20551, contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to access sensitive inference logs and modify worker configuration by exploiting unprotected /serveLogs and /debug endpoints on the worker port. Attackers can enumerate model instance IDs to stream serving logs containing prompts and completions, change log levels, and read memory profiling data without any authentication.

Database specific
{
    "cwe_ids": [
        "CWE-306"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58658.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/gpustack/gpustack

Affected ranges

Type
GIT
Repo
https://github.com/gpustack/gpustack
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.1"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.1.0
0.1.0rc1
0.1.0rc2
0.1.1
0.1.1rc1
0.1.2
0.1.2rc1
0.1.2rc2
0.2.0
0.2.0rc1
0.2.1
0.3.0
0.3.0rc1
0.3.1
0.3.1rc1
0.3.2
0.3.2rc1
v0.*
v0.4.0
v0.4.0rc1
v0.4.0rc2
v0.4.1
v0.4.1rc1
v0.5.0
v0.5.0rc1
v0.5.0rc2
v0.5.1
v0.5.1rc1
v0.6.0
v0.6.0rc1
v0.6.0rc2
v0.6.1
v0.6.1rc1
v0.7.0
v0.7.0rc1
v0.7.0rc2
v0.7.1
v0.7.1rc1
v0.7.1rc2
v2.*
v2.0.0
v2.0.0rc1
v2.0.0rc2
v2.0.1
v2.0.1rc1
v2.0.1rc2
v2.0.2
v2.0.2rc1
v2.0.2rc2
v2.1.0
v2.1.0rc1
v2.1.0rc2
v2.2.0
v2.2.0rc1
v2.2.0rc2
v2.2.0rc3
v2.2.0rc4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58658.json"