Description
A vulnerability was detected in zilliztech GPTCache up to 0.1.44. Affected by this issue is the function BufferedReader.peek of the file gptcache/processor/pre.py of the component Cache Key Handler. Performing a manipulation of the argument input_data["image"] results in use of weak hash. The attack must be initiated from a local position. The attack is considered to have high complexity. The exploitation is known to be difficult. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.
Published: 2026-06-04
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is in the BufferedReader.peek function of GPTCache’s Cache Key Handler. An attacker who can influence the input_data["image"] field when the application runs locally can cause the system to generate cache keys using a weak hash algorithm. This weakness does not enable remote code execution or direct data exfiltration; it mainly increases the probability of hash collisions, which may lead to unintended cache eviction or local resource exhaustion.

Affected Systems

All installations running zilliztech GPTCache version 0.1.44 or earlier are affected, regardless of the operating system or host environment. The issue is confined to deployments that have not upgraded past the release where the fix is pending.

Risk and Exploitability

With a CVSS score of 2, the vulnerability is rated low overall. Exploitation requires local access and is described as high‑complexity, making successful attacks nontrivial. The exploit is publicly available but the fix resides in a pull request that has not yet been merged, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 4, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Monitor the GPTCache repository for the merge of pull request #678 that removes the weak hash usage.
  • Upgrade to GPTCache version 0.1.45 or later once the fix is released.
  • If the application allows, replace the weak hash algorithm with a strong cryptographic hash for cache key generation as an interim measure.
  • Restrict local system access to trusted administrators to reduce the chance of an attacker manipulating the "image" input parameter.

Generated by OpenCVE AI on June 4, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in zilliztech GPTCache up to 0.1.44. Affected by this issue is the function BufferedReader.peek of the file gptcache/processor/pre.py of the component Cache Key Handler. Performing a manipulation of the argument input_data["image"] results in use of weak hash. The attack must be initiated from a local position. The attack is considered to have high complexity. The exploitation is known to be difficult. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.
Title zilliztech GPTCache Cache Key pre.py BufferedReader.peek weak hash
First Time appeared Zilliztech
Zilliztech gptcache
Weaknesses CWE-327
CWE-328
CPEs cpe:2.3:a:zilliztech:gptcache:*:*:*:*:*:*:*:*
Vendors & Products Zilliztech
Zilliztech gptcache
References
Metrics cvssV2_0

{'score': 2.4, 'vector': 'AV:L/AC:H/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.6, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Zilliztech Gptcache
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-04T15:06:07.890Z

Reserved: 2026-06-04T05:22:50.962Z

Link: CVE-2026-10812

cve-icon Vulnrichment

Updated: 2026-06-04T15:05:16.103Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T15:16:48.807

Modified: 2026-06-04T16:32:40.690

Link: CVE-2026-10812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:07:43Z

Weaknesses
  • CWE-327

    Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328

    Use of Weak Hash