Weak Hash Vulnerability in SkyPilot User ID Handler by skypilot-org
CVE-2026-13482

6.3MEDIUM

Key Information:

Vendor

Skypilot-org

Status
Skypilot
Vendor
CVE Published:
28 June 2026

What is CVE-2026-13482?

A vulnerability has been identified in the User ID Handler of SkyPilot, specifically in the function username.encode located within the file sky/users/server.py. This flaw permits the use of weak hashing algorithms, potentially leading to the exposure of sensitive user identifiers. The attack can be executed remotely, characterized by its complexity, which may hinder exploitation. The vulnerability has been made public, and the vendor was notified prior to the disclosure.

Affected Version(s)

skypilot 0.1

skypilot 0.2

skypilot 0.3

References

https://vuldb.com/vuln/374479
vdb-entrytechnical-description
https://vuldb.com/vuln/374479/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-13482
third-party-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dem0 (VulDB User)
VulDB CNA Team
.