Description
A security flaw has been discovered in MyScale MyScaleDB up to 1.8.0. This vulnerability affects the function SegmentId::getCacheKey in the library src/VectorIndex/Common/SegmentId.h. The manipulation results in insufficient verification of data authenticity. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.
Published: 2026-06-28
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In MyScaleDB versions up to 1.8.0, the function SegmentId::getCacheKey in src/VectorIndex/Common/SegmentId.h does not properly verify the authenticity of data used to compute cache keys. This flaw allows an attacker who can supply crafted input to bypass authenticity checks and influence index cache key generation. The weakness is classified as CWE‑345. While the CVSS score of 2.3 reflects a limited impact, the vulnerability can be exploited remotely, albeit with high technical complexity.

Affected Systems

The vulnerability affects MyScaleDB distributed as MyScale:MyScaleDB for all publicly available builds up to and including 1.8.0. Users operating any version of this product prior to the pending fix are susceptible. No other vendors or product lines are identified.

Risk and Exploitability

The attack vector is remote, requiring the attacker to supply malicious input to the getCacheKey routine. The lack of an available EPSS score and absence from CISA KEV suggest low observable exploitation, but the vulnerability remains exploitable. Given the low CVSS score, the overall risk to confidentiality, integrity, and availability is limited; however, monitoring for abnormal cache key activity is prudent until the pull request is merged.

Generated by OpenCVE AI on June 29, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify if an official MyScaleDB update that addresses this vulnerability is available and apply it immediately when released.
  • Implement an explicit authenticity check for input data before it is passed to SegmentId::getCacheKey when a patch is not yet available.
  • Restrict external access to database components that may expose getCacheKey, allowing only trusted hosts or blocking unknown sources.

Generated by OpenCVE AI on June 29, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in MyScale MyScaleDB up to 1.8.0. This vulnerability affects the function SegmentId::getCacheKey in the library src/VectorIndex/Common/SegmentId.h. The manipulation results in insufficient verification of data authenticity. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.
Title MyScale MyScaleDB SegmentId.h getCacheKey data authenticity
First Time appeared Myscale
Myscale myscaledb
Weaknesses CWE-345
CPEs cpe:2.3:a:myscale:myscaledb:*:*:*:*:*:*:*:*
Vendors & Products Myscale
Myscale myscaledb
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Myscale Myscaledb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T23:00:16.154Z

Reserved: 2026-06-28T06:33:46.561Z

Link: CVE-2026-13513

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T01:00:06Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity