CVE-2026-58658
Received Received - Intake

Unauthenticated Information Disclosure in GPUStack

Vulnerability report for CVE-2026-58658, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

GPUStack through 2.2.1, fixed in commit 4e20551, contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to access sensitive inference logs and modify worker configuration by exploiting unprotected /serveLogs and /debug endpoints on the worker port. Attackers can enumerate model instance IDs to stream serving logs containing prompts and completions, change log levels, and read memory profiling data without any authentication.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gpustack gpustack to 2.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58658 is an unauthenticated information disclosure vulnerability in GPUStack versions up to 2.2.1. It allows attackers to access sensitive inference logs and modify worker configurations by exploiting unprotected /serveLogs and /debug endpoints on the worker port without authentication.

Impact Analysis

Attackers can read model-serving logs containing prompts and completions, change log levels, and access memory profiling data. This could expose sensitive data or allow configuration changes that disrupt services.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data like prompts and completions, violating GDPR and HIPAA requirements for data protection and confidentiality.

Detection Guidance

Check if the GPUStack worker port (default 10150) is exposed to the network. Use curl to test unauthenticated access to /serveLogs and /debug endpoints. Example commands: curl http://<target>:10150/serveLogs and curl http://<target>:10150/debug. If these return sensitive data without authentication, the system is vulnerable.

Mitigation Strategies

Apply the official fix by updating GPUStack to a version including commit 4e20551. Ensure the /serveLogs and /debug endpoints require authentication by adding worker_auth dependencies. Restrict network access to the worker port if possible. Verify the fix by testing the endpoints again.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58658. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart