CVE-2026-11481
Deferred Deferred - Pending Action
Stored Hash Manipulation in GrepAI Postgres Embedding Cache

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was determined in yoanbernabeu grepai up to 0.35.0. The affected element is the function PostgresStore.LookupByContentHash of the file indexer/chunker.go of the component Postgres Embedding Cache. Executing a manipulation of the argument content_hash can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11481
EUVD
EUVD-2026-35012
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yoanbernabeu grepai to 0.35.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-11481 exists in the grepai tool, specifically in the Postgres embedding cache's LookupByContentHash function. This function queries the database using only the content_hash without restricting the query by project_id. As a result, embeddings (vectors) generated for one project can be accessed by another project if they share the same content hash. This improper scoping leads to cross-project embedding reuse.

The root cause is that while most Postgres store operations correctly scope reads and writes by project_id, this cache lookup bypasses that restriction. This can cause security issues such as loss of index integrity, corruption of search quality, and potential side-channel observations through cache hits.

Impact Analysis

This vulnerability can impact you by allowing data from one project to be accessed or reused by another project sharing the same Postgres backend. This cross-project reuse can lead to several issues:

  • Loss of index integrity, meaning the data indexes may become unreliable.
  • Corruption of search quality, resulting in incorrect or misleading search results.
  • Potential cache-hit side-channel observations, which could leak information about other projects' data.

Overall, this can compromise the security and correctness of your data and search operations if multiple projects share the same backend.

Detection Guidance

This vulnerability involves the PostgresStore.LookupByContentHash function performing cache lookups without scoping by project_id, which can lead to cross-project embedding reuse.

To detect this issue, you can check the database queries executed by the grepai tool to see if the content_hash lookup includes the project_id filter.

A practical approach is to monitor or log SQL queries on the Postgres backend and look for queries on the chunks table that use only content_hash without project_id.

  • Use PostgreSQL query logging to capture queries: set log_statement = 'all' in postgresql.conf and review logs for queries like: SELECT * FROM chunks WHERE content_hash = 'some_hash';
  • Run a manual SQL query to check for entries with the same content_hash but different project_id values, which could indicate cross-project reuse.
  • Example SQL command to find content_hash values shared across multiple projects: SELECT content_hash, COUNT(DISTINCT project_id) FROM chunks GROUP BY content_hash HAVING COUNT(DISTINCT project_id) > 1;
Mitigation Strategies

The immediate mitigation is to ensure that the Postgres embedding cache lookup queries include the project_id filter to prevent cross-project embedding reuse.

Since the fix is available as a pull request, you should apply the patch or update to a version of grepai that includes the fix once it is accepted.

In the meantime, restrict access to the system to trusted local users only, as the attack requires local execution and high complexity.

  • Apply the patch from the pull request that scopes cache lookups by project_id.
  • Limit local user permissions to reduce the risk of exploitation.
  • Monitor and audit database queries to detect any suspicious cross-project cache lookups.
Compliance Impact

The vulnerability allows cross-project embedding reuse due to the Postgres embedding cache lookup not properly scoping results by project_id. This can lead to data leakage between projects sharing the same Postgres backend, potentially exposing sensitive information across project boundaries.

Such unintended data exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require strict data segregation and protection of personal or sensitive data. The risk of index integrity loss and cache-hit side-channel observations further exacerbates potential compliance issues.

However, the attack requires local access and has a high complexity, which may limit the practical risk. A fix is pending that scopes cache lookups by project_id to prevent cross-project data leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11481. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart