CVE-2026-58658
HIGHGPUStack Unauthenticated Information Disclosure via Worker Endpoints
Title source: cnaDescription
GPUStack through 2.2.1, fixed in commit 4e20551, contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to access sensitive inference logs and modify worker configuration by exploiting unprotected /serveLogs and /debug endpoints on the worker port. Attackers can enumerate model instance IDs to stream serving logs containing prompts and completions, change log levels, and read memory profiling data without any authentication.
References (3)
Core 3
Core References
Patch patch
Patch Commit
https://github.com/gpustack/gpustack/commit/4e20551b5aaf76f93a8769d32b7fef999e22a4d3
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/gpustack-unauthenticated-information-disclosure-via-worker-endpoints
Scores
CVSS v3
8.2
EPSS
0.0039
EPSS Percentile
31.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-306
Status
published
Products (2)
gpustack/gpustack
< 2.2.1
gpustack/gpustack
4e20551b5aaf76f93a8769d32b7fef999e22a4d3
Published
Jul 15, 2026
Tracked Since
Jul 15, 2026