CVE-2026-11466 - Vulnerability Details

- zilliztech deep-searcher collection_router.py CollectionRouter.invoke access control

Description

A weakness has been identified in zilliztech deep-searcher up to 0.0.2. This affects the function CollectionRouter.invoke of the file deepsearcher/agent/collection_router.py. This manipulation of the argument kwargs causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.

Published: 2026-06-07

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the CollectionRouter.invoke function of zilliztech deep-searcher, where manipulation of the keyword arguments allows the bypass of intended access controls. This weakness enables an attacker to execute actions with elevated privileges or access protected resources that should be restricted, potentially leading to unauthorized data manipulation or disclosure. The flaw is classified as CWE-266 and CWE-284 and carries a CVSS score of 5.3, indicating moderate overall risk.

Affected Systems

Vendors affected are zilliztech with its deep-searcher product. The issue exists in all releases up to and including version 0.0.2. Users running any of these versions should verify whether they expose the CollectionRouter.invoke endpoint to external requests.

Risk and Exploitability

Remote exploitation is feasible; the vulnerability has been demonstrated publicly on GitHub and VulDB, and the exploit code is available to attackers. While a CVSS score of 5.3 suggests moderate severity, the lack of KEV listing and an unavailable EPSS score do not diminish the risk of an attacker planning to target exposed deep-searcher instances. The attack vector is remote, requiring network access to the service that hosts CollectionRouter.invoke.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zilliztech

deep-searcher

affected

Version	Status	Constraints
`0.0.1`	affected	—
`0.0.2`	affected	—

No data.

Vendor Product Confidence Versions

Zilliztech

Deep-searcher

100%

Version	Status	Scheme	Platform
`0.0.1`	affected	semver	—
`0.0.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update deep-searcher to a version that includes the fix from PR #268 or manually apply the patch changes, ensuring that CollectionRouter.invoke credentials are properly validated.
Restrict network access to the deep-searcher service so that only trusted hosts can communicate with the CollectionRouter API, reducing the attack surface.
Disable or restrict the CollectionRouter.invoke functionality for unauthenticated or low‑privilege callers, enforcing strict authentication and authorization checks before processing requests.

Generated by OpenCVE AI on June 8, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/zilliztech/deep-searcher/
https://github.com/zilliztech/deep-searcher/issues/267
https://github.com/zilliztech/deep-searcher/pull/268
https://vuldb.com/cve/CVE-2026-11466
https://vuldb.com/submit/833652
https://vuldb.com/vuln/369086
https://vuldb.com/vuln/369086/cti

History

Mon, 08 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in zilliztech deep-searcher up to 0.0.2. This affects the function CollectionRouter.invoke of the file deepsearcher/agent/collection_router.py. This manipulation of the argument kwargs causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.
Title		zilliztech deep-searcher collection_router.py CollectionRouter.invoke access control
First Time appeared		Zilliztech Zilliztech deep-searcher
Weaknesses		CWE-266 CWE-284
CPEs		cpe:2.3:a:zilliztech:deep-searcher::::::::
Vendors & Products		Zilliztech Zilliztech deep-searcher
References		https://github.com/zilliztech/deep-searcher/ https://github.com/zilliztech/deep-searcher/issues/267 https://github.com/zilliztech/deep-searcher/pull/268 https://vuldb.com/cve/CVE-2026-11466 https://vuldb.com/submit/833652 https://vuldb.com/vuln/369086 https://vuldb.com/vuln/369086/cti
Metrics		cvssV2_0 `{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Zilliztech Deep-searcher

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-07T23:00:15.431Z

Updated: 2026-06-08T13:44:25.703Z

Reserved: 2026-06-07T09:20:16.327Z

Link: CVE-2026-11466

Vulnrichment

Updated: 2026-06-08T13:44:19.502Z

NVD

Status : Deferred

Published: 2026-06-07T23:16:42.213

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11466

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T09:00:51Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object