CVE-2026-11479
Deferred Deferred - Pending Action
Use of Weak Hash in Qdrant Backend via grepai 0.35.0

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability has been found in yoanbernabeu grepai 0.35.0. This issue affects some unknown processing of the file indexer/chunker.go of the component Qdrant Backend. Such manipulation leads to use of weak hash. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11479
EUVD
EUVD-2026-35010
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
yoanbernabeu grepai 0.35.0
qdrant qdrant *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in grepai 0.35.0 involves the way chunks of code from different projects are indexed in a shared Qdrant vector index. Specifically, chunk IDs are generated using only the file path and chunk index, which can result in identical IDs for chunks from different projects if they share the same relative file path and chunk index.

Because these chunk IDs are not namespaced by project or workspace, chunks from one project can overwrite chunks from another project in the shared Qdrant collection. This leads to cross-project vector index poisoning, where one project's data replaces another's, causing incorrect search results or unauthorized access to sensitive information.

The vulnerability is complex to exploit and requires remote access, but the exploit has been publicly disclosed. A fix is proposed to namespace chunk IDs by project/workspace to prevent these collisions.

Impact Analysis

This vulnerability can impact you by causing data from different projects to overwrite each other in a shared vector index, leading to inaccurate or corrupted search results.

It may also result in unauthorized access to sensitive information if data from one project is exposed or replaced by another project's data within the shared Qdrant collection.

Such data integrity and confidentiality issues can undermine trust in the tool and potentially disrupt development workflows that rely on accurate semantic code search.

Detection Guidance

This vulnerability involves chunk identity collisions in the Qdrant vector index used by grepai, where chunks from different projects overwrite each other if they share the same relative file path and chunk index.

To detect this issue on your system, you can check if multiple projects are configured to use the same Qdrant collection and if files with identical names and chunk indices exist across these projects.

Since grepai and Qdrant are involved, you might inspect the Qdrant collections for unexpected overwrites or inconsistencies by querying the stored chunk IDs.

Suggested commands include querying the Qdrant collection to list chunk IDs and verify if identical IDs appear for different projects, for example using Qdrant's API or CLI tools to list points and their metadata.

  • Use Qdrant's search or scroll API to list chunk IDs and check for duplicates across projects.
  • Inspect grepai configuration files to verify if multiple projects share the same Qdrant collection.
  • Monitor for unexpected search result inconsistencies or data poisoning symptoms in grepai outputs.
Mitigation Strategies

To mitigate this vulnerability, ensure that chunk IDs are namespaced by project or workspace to prevent collisions in shared Qdrant collections.

Avoid sharing Qdrant collections across multiple projects without proper isolation or namespacing.

Apply the fix from the pending pull request that namespaces Qdrant point IDs by project/workspace, which prevents same-path chunk conflicts.

If the fix is not yet merged or available, consider using separate Qdrant collections per project to avoid cross-project overwrites.

  • Review and update your grepai and Qdrant configurations to isolate projects.
  • Monitor for updates and apply the official patch once it is accepted.
  • Limit access to shared Qdrant collections to trusted projects only.
Compliance Impact

The vulnerability allows chunks from different projects to overwrite each other in a shared Qdrant vector index, potentially causing unauthorized access to or corruption of sensitive information across projects.

Such cross-project data overwrites and potential unauthorized data exposure could lead to violations of data protection regulations like GDPR or HIPAA, which require strict data segregation and protection of personal or sensitive information.

However, the exploitability is assessed as difficult and the vulnerability primarily affects the integrity and isolation of indexed data rather than direct data leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11479. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart