Skip to main content

Gpustack

1 CVEs product

Monthly

CVE-2026-58658 HIGH POC PATCH This Week

Unauthenticated information disclosure in GPUStack through version 2.2.1 lets remote attackers reach the worker port's unprotected /serveLogs and /debug endpoints to stream live inference logs - including user prompts and model completions - and to alter worker runtime configuration such as log levels and memory profiling output. Because the flaw is missing authentication (CWE-306) on network-exposed endpoints, exploitation requires no credentials and no user interaction; publicly available exploit code exists, though the issue is not listed in CISA KEV. VulnCheck reported it and the vendor fixed it in commit 4e20551.

Authentication Bypass Information Disclosure Gpustack
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Unauthenticated information disclosure in GPUStack through version 2.2.1 lets remote attackers reach the worker port's unprotected /serveLogs and /debug endpoints to stream live inference logs - including user prompts and model completions - and to alter worker runtime configuration such as log levels and memory profiling output. Because the flaw is missing authentication (CWE-306) on network-exposed endpoints, exploitation requires no credentials and no user interaction; publicly available exploit code exists, though the issue is not listed in CISA KEV. VulnCheck reported it and the vendor fixed it in commit 4e20551.

Authentication Bypass Information Disclosure Gpustack
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy