CVE-2026-58658

HIGH

GPUStack Unauthenticated Information Disclosure via Worker Endpoints

Title source: cna
STIX 2.1

Description

GPUStack through 2.2.1, fixed in commit 4e20551, contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to access sensitive inference logs and modify worker configuration by exploiting unprotected /serveLogs and /debug endpoints on the worker port. Attackers can enumerate model instance IDs to stream serving logs containing prompts and completions, change log levels, and read memory profiling data without any authentication.

Scores

CVSS v3 8.2
EPSS 0.0039
EPSS Percentile 31.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-306
Status published
Products (2)
gpustack/gpustack < 2.2.1
gpustack/gpustack 4e20551b5aaf76f93a8769d32b7fef999e22a4d3
Published Jul 15, 2026
Tracked Since Jul 15, 2026