CVE-2026-11466
MEDIUMzilliztech deep-searcher collection_router.py CollectionRouter.invoke access control
Title source: cnaDescription
A weakness has been identified in zilliztech deep-searcher up to 0.0.2. This affects the function CollectionRouter.invoke of the file deepsearcher/agent/collection_router.py. This manipulation of the argument kwargs causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.
References (7)
Core 7
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-369086 | zilliztech deep-searcher collection_router.py CollectionRouter.invoke access control
https://vuldb.com/vuln/369086
Signature, Permissions Required signature
permissions-required
VDB-369086 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/369086/cti
Third Party Advisory third-party-advisory
CVE-2026-11466 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-11466
Third Party Advisory third-party-advisory
Submit #833652 | zilliztech deep-searcher 0.0.2 Improper Authorization
https://vuldb.com/submit/833652
Exploit exploit
issue-tracking
https://github.com/zilliztech/deep-searcher/issues/267
Patch issue-tracking
patch
https://github.com/zilliztech/deep-searcher/pull/268
Product product
https://github.com/zilliztech/deep-searcher/
Scores
CVSS v3
5.4
EPSS
0.0025
EPSS Percentile
16.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-266
CWE-284
Status
published
Products (2)
zilliztech/deep-searcher
0.0.1
zilliztech/deep-searcher
0.0.2
Published
Jun 07, 2026
Tracked Since
Jun 08, 2026