CVE Catalog

CVE-2026-13482

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

A vulnerability was found in skypilot up to version 0.12.0, affecting the username.encode function in sky/users/server.py of the User ID Handler component. Manipulation leads to use of weak hash, enabling a remote attack with high complexity.

Risk Assessment

An attacker can remotely exploit the weak hash to compromise credential integrity, potentially leading to unauthorized system access.

Recommendation

Immediately update skypilot to the latest version after 0.12.0 and apply a stronger hashing algorithm for user identifiers.

Original NVD description (English source)

A vulnerability was detected in skypilot-org skypilot up to 0.12.0. Impacted is the function username.encode of the file sky/users/server.py of the component User ID Handler. The manipulation results in use of weak hash. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS