CVE-2026-13507

A vulnerability was detected in volcengine OpenViking up to 0.3.21. This affects the function str_to_uint64 of the file openviking/storage/vectordb/utils/str_to_uint64.py of the component Local VectorDB Primary-key Label Handler. The manipulation of the argument ID results in insufficient verification of data authenticity. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The pull request to fix this issue awaits acceptance.

CVSS v3 5.0 MEDIUM
CVSS v2.0 4.6 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

4.6^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:H/Au:S/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/volcengine/OpenViking/
https://github.com/volcengine/OpenViking/issues/2263
https://github.com/volcengine/OpenViking/pull/2268
https://vuldb.com/cve/CVE-2026-13507
https://vuldb.com/submit/838791
https://vuldb.com/vuln/374515
https://vuldb.com/vuln/374515/cti
https://github.com/volcengine/OpenViking/issues/2263

Configurations

No configuration.

History

29 Jun 2026, 12:16

Type	Values Removed	Values Added
References	~~() https://github.com/volcengine/OpenViking/issues/2263 -~~	() https://github.com/volcengine/OpenViking/issues/2263 -

28 Jun 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-28 22:16

Updated : 2026-06-29 12:16

NVD link : CVE-2026-13507

Mitre link : CVE-2026-13507

CVE.ORG link : CVE-2026-13507

JSON object : View

Products Affected

No product.

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2026-13507", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-13507", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-29T11:13:13.978342Z"}}], "cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 4.6, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.6}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "cna@vuldb.com", "affectedData": [{"cpes": ["cpe:2.3:a:volcengine:openviking:*:*:*:*:*:*:*:*"], "vendor": "volcengine", "modules": ["Local VectorDB Primary-key Label Handler"], "product": "OpenViking", "versions": [{"status": "affected", "version": "0.3.0"}, {"status": "affected", "version": "0.3.1"}, {"status": "affected", "version": "0.3.2"}, {"status": "affected", "version": "0.3.3"}, {"status": "affected", "version": "0.3.4"}, {"status": "affected", "version": "0.3.5"}, {"status": "affected", "version": "0.3.6"}, {"status": "affected", "version": "0.3.7"}, {"status": "affected", "version": "0.3.8"}, {"status": "affected", "version": "0.3.9"}, {"status": "affected", "version": "0.3.10"}, {"status": "affected", "version": "0.3.11"}, {"status": "affected", "version": "0.3.12"}, {"status": "affected", "version": "0.3.13"}, {"status": "affected", "version": "0.3.14"}, {"status": "affected", "version": "0.3.15"}, {"status": "affected", "version": "0.3.16"}, {"status": "affected", "version": "0.3.17"}, {"status": "affected", "version": "0.3.18"}, {"status": "affected", "version": "0.3.19"}, {"status": "affected", "version": "0.3.20"}, {"status": "affected", "version": "0.3.21"}]}]}], "published": "2026-06-28T22:16:47.293", "references": [{"url": "https://github.com/volcengine/OpenViking/", "source": "cna@vuldb.com"}, {"url": "https://github.com/volcengine/OpenViking/issues/2263", "source": "cna@vuldb.com"}, {"url": "https://github.com/volcengine/OpenViking/pull/2268", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/cve/CVE-2026-13507", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/submit/838791", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/vuln/374515", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/vuln/374515/cti", "source": "cna@vuldb.com"}, {"url": "https://github.com/volcengine/OpenViking/issues/2263", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in volcengine OpenViking up to 0.3.21. This affects the function str_to_uint64 of the file openviking/storage/vectordb/utils/str_to_uint64.py of the component Local VectorDB Primary-key Label Handler. The manipulation of the argument ID results in insufficient verification of data authenticity. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The pull request to fix this issue awaits acceptance."}], "lastModified": "2026-06-29T12:16:25.553", "sourceIdentifier": "cna@vuldb.com"}