CVE-2026-13507
Received Received - Intake

Insufficient Input Validation in OpenViking Local VectorDB

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: VulDB

Description
A vulnerability was detected in volcengine OpenViking up to 0.3.21. This affects the function str_to_uint64 of the file openviking/storage/vectordb/utils/str_to_uint64.py of the component Local VectorDB Primary-key Label Handler. The manipulation of the argument ID results in insufficient verification of data authenticity. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13507
EUVD
EUVD-2026-40004

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
volcengine openviking to 0.3.21 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in volcengine OpenViking up to version 0.3.21, specifically in the function str_to_uint64 within the file openviking/storage/vectordb/utils/str_to_uint64.py. It affects the Local VectorDB Primary-key Label Handler component. The issue arises because the argument ID is manipulated in a way that leads to insufficient verification of data authenticity.

The vulnerability can be exploited remotely, but the attack is considered highly complex and difficult to execute. A fix has been proposed but is still awaiting acceptance.

Impact Analysis

Exploitation of this vulnerability could allow an attacker to manipulate the ID argument, potentially compromising the authenticity of data handled by the Local VectorDB Primary-key Label Handler. This could lead to unauthorized data manipulation or access.

However, the attack is difficult to perform and requires a high level of complexity, which may reduce the likelihood of successful exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart