CVE-2026-58658
GPUStack · GPUStack
GPUStack contains a missing authentication vulnerability in worker endpoints that allows unauthenticated attackers to disclose sensitive information.
Executive summary
A missing authentication vulnerability in GPUStack versions 2.2.1 and earlier allows unauthenticated attackers to perform unauthorized information disclosure.
Vulnerability
This vulnerability stems from missing authentication for critical worker endpoints, allowing unauthenticated remote attackers to access sensitive information.
Business impact
The unauthorized disclosure of sensitive information can lead to data breaches or the compromise of operational intelligence regarding GPU resources. With a CVSS score of 8.2, this vulnerability represents a high risk to the confidentiality of the affected deployment.
Remediation
Immediate Action: Update to the latest version of GPUStack that incorporates the fix provided in commit 4e20551b5aaf76f93a8769d32b7fef999e22a4d3.
Proactive Monitoring: Monitor API and worker endpoint traffic for anomalous request patterns or unauthorized access attempts.
Compensating Controls: Implement strict network segmentation and ensure that worker endpoints are not exposed to untrusted networks or the public internet.
Exploitation status
Public Exploit Available: No confirmed public exploit in the available data.
Analyst recommendation
The presence of a proof-of-concept increases the urgency of this remediation. Security teams should verify their current version and apply the necessary updates immediately to secure sensitive information stored within the GPUStack infrastructure.