Description
A vulnerability was determined in yoanbernabeu grepai up to 0.35.0. The affected element is the function PostgresStore.LookupByContentHash of the file indexer/chunker.go of the component Postgres Embedding Cache. Executing a manipulation of the argument content_hash can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
Published: 2026-06-08
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is located in the PostgresStore.LookupByContentHash function within the Postgres Embedding Cache module. An attacker with local access can manipulate the content_hash argument, causing the application to use a weak hash algorithm. This weak hash creates a risk of collisions or other integrity weaknesses, but does not provide remote code execution or direct disclosure of secrets.

Affected Systems

The flaw affects the grepai project by yoanbernabeu, up to and including version 0.35.0. Users running this version in any environment that allows local modification of the content_hash parameter are vulnerable.

Risk and Exploitability

The CVSS score of 2 indicates low severity. The exploit is local, requiring the attacker to run code on the same host with sufficient privileges, and is described as difficult. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. The limited scope and privacy of the local attack surface make this a low‑risk vulnerability, yet it is publicly disclosed and could be employed by a local attacker to influence the hash algorithm used.

Generated by OpenCVE AI on June 8, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update grepai to the latest released version where the weak hash algorithm has been replaced in accordance with CWE‑327 recommendations.
  • Add input validation to the content_hash parameter, ensuring only properly formatted hash values are accepted, to mitigate CWE‑328 issues and prevent manipulation of the lookup function.
  • Run the grepai service under the least privileged account and, if possible, disable the embedding cache lookup feature when it is not required, limiting the potential impact of a local attacker.

Generated by OpenCVE AI on June 8, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in yoanbernabeu grepai up to 0.35.0. The affected element is the function PostgresStore.LookupByContentHash of the file indexer/chunker.go of the component Postgres Embedding Cache. Executing a manipulation of the argument content_hash can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
Title yoanbernabeu grepai Postgres Embedding Cache chunker.go PostgresStore.LookupByContentHash weak hash
First Time appeared Yoanbernabeu
Yoanbernabeu grepai
Weaknesses CWE-327
CWE-328
CPEs cpe:2.3:a:yoanbernabeu:grepai:*:*:*:*:*:*:*:*
Vendors & Products Yoanbernabeu
Yoanbernabeu grepai
References
Metrics cvssV2_0

{'score': 1, 'vector': 'AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yoanbernabeu Grepai
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T13:01:50.902Z

Reserved: 2026-06-07T09:57:01.801Z

Link: CVE-2026-11481

cve-icon Vulnrichment

Updated: 2026-06-08T13:01:46.847Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T03:16:20.523

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T07:00:10Z

Weaknesses