CVE-2026-13482 PUBLISHED

skypilot-org skypilot User ID server.py username.encode weak hash

Assigner: VulDB
Reserved: 27.06.2026 Published: 28.06.2026 Updated: 28.06.2026

A vulnerability was detected in skypilot-org skypilot up to 0.12.0. Impacted is the function username.encode of the file sky/users/server.py of the component User ID Handler. The manipulation results in use of weak hash. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
CVSS Score: 6.3

Product Status

Vendor skypilot-org
Product skypilot
Versions
  • Version 0.1 is affected
  • Version 0.2 is affected
  • Version 0.3 is affected
  • Version 0.4 is affected
  • Version 0.5 is affected
  • Version 0.6 is affected
  • Version 0.7 is affected
  • Version 0.8 is affected
  • Version 0.9 is affected
  • Version 0.10 is affected
  • Version 0.11 is affected
  • Version 0.12.0 is affected

Credits

  • Dem0 (VulDB User) reporter
  • VulDB CNA Team coordinator

References

Problem Types

  • Use of Weak Hash CWE
  • Risky Cryptographic Algorithm CWE