PYSEC-2026-1973

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/torchserve/PYSEC-2026-1973.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1973
Aliases
Published
2026-07-07T14:34:54.081606Z
Modified
2026-07-07T17:48:11.504027418Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
TorchServe script references S3 bucket without ensuring ownership or confirming accessibility
Details

In the latest version of pytorch/serve, the script 'uploadresultsto_s3.sh' references the S3 bucket 'benchmarkai-metrics-prod' without ensuring its ownership or confirming its accessibility. This could lead to potential security vulnerabilities or unauthorized access to the bucket if it is not properly secured or claimed by the appropriate entity. The issue may result in data breaches, exposure of proprietary information, or unauthorized modifications to stored data.

References

Affected packages

PyPI / torchserve

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.11.0

Affected versions

0.*
0.0.1b20200409
0.1.1
0.2.0
0.2.2
0.3.0
0.3.1
0.4.0
0.4.1
0.4.2
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.6.1
0.7.0
0.7.1
0.8.0
0.8.1
0.8.2
0.9.0
0.10.0
0.11.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/torchserve/PYSEC-2026-1973.yaml"