CVE-2026-14738
Received Received - Intake

Weak Hash in exo-explore exo Vision Feature Cache

Vulnerability report for CVE-2026-14738, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A security flaw has been discovered in exo-explore exo up to 1.0.71. Affected is the function _image_cache_key of the file src/exo/worker/engines/mlx/vision.py of the component Vision Feature Cache. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
exo-explore exo 1.0.71

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the exo-explore exo project, specifically in the Vision Feature Cache component's _image_cache_key function. The issue arises because the hash used to cache image features is computed only from the raw pixel bytes of an image, without including the image's dimensions (width and height). As a result, images with different dimensions but identical pixel byte sequences produce the same hash.

This leads to cache poisoning where the feature cache returns incorrect features for an image, because it mistakenly treats different images as identical due to hash collisions. The vulnerability can be exploited remotely, although the attack complexity is high and exploitability is difficult. A fix has been proposed to include image dimensions in the hash computation to prevent these collisions.

Impact Analysis

The vulnerability can cause the vision feature cache to return incorrect or stale features for images processed by the system. This means that when different images with the same pixel data but different dimensions are analyzed, the system might provide wrong inference results.

In practical terms, this can lead to incorrect AI model outputs, potentially affecting any application relying on accurate image feature extraction through the MLX engine. Since the cache is shared at the process level, multiple API clients could receive wrong data, which might degrade the reliability and trustworthiness of the system.

Detection Guidance

This vulnerability involves the use of a weak hash in the Vision Feature Cache of the exo-explore exo project, specifically in the _image_cache_key function. Detection would involve verifying if the affected version (up to 1.0.71) is in use and checking for incorrect or stale feature cache results when processing images with different dimensions but identical pixel byte sequences.

Since the vulnerability is related to image cache key collisions, one way to detect it is to test the system by submitting images that have the same pixel bytes but different dimensions (e.g., 6x4 and 4x6 images with identical pixel data) and observe if the system returns incorrect or stale cached features.

No specific network or system commands are provided in the resources to detect this vulnerability automatically.

Mitigation Strategies

The immediate mitigation step is to apply the fix that modifies the hash generation in the _image_cache_key and content_hash functions to include image dimensions (width and height) along with the pixel bytes. This prevents shape collisions and incorrect cache lookups.

Since the pull request addressing this issue is awaiting acceptance, you can manually patch the file src/exo/worker/engines/mlx/vision.py by prepending the image dimensions to the data used for hashing.

Additionally, avoid using affected versions (up to 1.0.71) in production environments until the fix is merged and released.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart