CVE-2026-13507
Deferred Deferred - Pending Action

Insufficient Input Validation in OpenViking Local VectorDB

Vulnerability report for CVE-2026-13507, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-28

Last updated on: 2026-06-29

Assigner: VulDB

Description

A vulnerability was detected in volcengine OpenViking up to 0.3.21. This affects the function str_to_uint64 of the file openviking/storage/vectordb/utils/str_to_uint64.py of the component Local VectorDB Primary-key Label Handler. The manipulation of the argument ID results in insufficient verification of data authenticity. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-29
Generated
2026-07-19
AI Q&A
2026-06-29
EPSS Evaluated
2026-07-17
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
volcengine openviking to 0.3.21 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in volcengine OpenViking up to version 0.3.21, specifically in the function str_to_uint64 within the file openviking/storage/vectordb/utils/str_to_uint64.py. It affects the Local VectorDB Primary-key Label Handler component. The issue arises because the argument ID is manipulated in a way that leads to insufficient verification of data authenticity.

The vulnerability can be exploited remotely, but the attack is considered highly complex and difficult to execute. A fix has been proposed but is still awaiting acceptance.

Impact Analysis

Exploitation of this vulnerability could allow an attacker to manipulate the ID argument, potentially compromising the authenticity of data handled by the Local VectorDB Primary-key Label Handler. This could lead to unauthorized data manipulation or access.

However, the attack is difficult to perform and requires a high level of complexity, which may reduce the likelihood of successful exploitation.

Compliance Impact

The vulnerability in OpenViking involves insufficient verification of data authenticity and security-context omission in storage identity and cryptographic key derivation. This can lead to data leakage or corruption due to identical internal labels for different security contexts and weakened cryptographic isolation.

Such issues potentially impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strong data integrity, confidentiality, and access control measures to protect personal and sensitive information.

Because the vulnerability allows records with the same bare ID but different tenant/resource contexts to share storage labels and cryptographic keys lack binding to specific uses, it increases the risk of unauthorized data access or data integrity violations, which could lead to non-compliance with these regulations.

Mitigation Strategies

To mitigate the vulnerability in volcengine OpenViking, you should apply the security fixes introduced in the pending pull request that addresses the issue by binding storage and crypto keys to security contexts.

  • Reject local VectorDB primary-key rebinding when an existing record's security context changes.
  • Prevent bound-account VectorDB upserts that target another account.
  • Bind account key derivation to purpose and derivation version, with a legacy v1 decrypt fallback.

These changes improve security by ensuring proper verification of data authenticity and cryptographic isolation, reducing risks of data leakage or corruption.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart