Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability has been found in yoanbernabeu grepai 0.35.0. This issue affects some unknown processing of the file indexer/chunker.go of the component Qdrant Backend. Such manipulation leads to use of weak hash. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
AnalysisAI
Weak SHA1-based chunk ID generation in yoanbernabeu grepai 0.35.0 enables insufficient namespace isolation within the Qdrant vector database backend, allowing an authenticated remote attacker to potentially access or corrupt indexed data belonging to other projects sharing the same Qdrant collection. The vulnerability stems from the absence of project namespace scoping in chunk UUID derivation, meaning chunk IDs could collide or be predicted across project boundaries. Publicly available exploit code exists per the CVSS E:P modifier and vendor disclosure, though no confirmed active exploitation (CISA KEV) has been recorded; the extremely low CVSS 4.0 score of 1.3 reflects high attack complexity and limited impact scope.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35010
GHSA-6h35-9p2w-3j3r