CVE Catalog

CVE-2026-13507

MediumCVSS 5.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

A vulnerability was found in the Local VectorDB Primary-key Label Handler component of OpenViking up to version 0.3.21, where insufficient verification of data authenticity occurs when processing the ID argument in the str_to_uint64 function. The attack can be launched remotely but is highly complex and difficult to exploit.

Risk Assessment

The risk for the organization is the potential remote manipulation of data in the local vector database system, which could compromise the integrity of indexes or primary keys. Due to the high attack complexity, the risk is limited but requires monitoring.

Recommendation

It is recommended to immediately apply the fix from the pending pull request once accepted and update to the latest version of OpenViking. Until the patch is released, restrict access to interfaces using this function.

Original NVD description (English source)

A vulnerability was detected in volcengine OpenViking up to 0.3.21. This affects the function str_to_uint64 of the file openviking/storage/vectordb/utils/str_to_uint64.py of the component Local VectorDB Primary-key Label Handler. The manipulation of the argument ID results in insufficient verification of data authenticity. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The pull request to fix this issue awaits acceptance.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS