Description
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, malicious algorithms can potentially access other algorithms input and output files. Version 5.0.0 fixes the issue. As a workaround, verify and restrict the algorithm containers that are allowed to run on the node.
Published: 2026-06-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper access control flaw in the Vantage6 node software lets a malicious algorithm run on the node discover and read files belonging to other algorithms. The vulnerability stems from insufficient isolation between algorithm containers, violating confidentiality and potentially exposing sensitive data. The weakness is classified as CWE‑284, a classic example of access control failure.

Affected Systems

All Vantage6 installations running any version before 5.0.0 are vulnerable. The fix was introduced in version 5.0.0; nodes running that or newer releases are not affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high risk. The EPSS score is under 1 %, suggesting that exploitation is currently considered unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the ability to submit or otherwise deploy an algorithm container on the target node. Once a malicious algorithm is executed, it can traverse the node’s filesystem, accessing other algorithms’ input and output data. The impact is essentially the disclosure of private data that was supposed to remain isolated within each algorithm’s container.

Generated by OpenCVE AI on June 18, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Vantage6 node to version 5.0.0 or later, where the access control issue is resolved.
  • If an upgrade is not immediately feasible, examine the configuration of algorithm containers on the node and restrict the list of containers permitted to run, ensuring only trusted algorithms can execute.
  • Apply network segmentation or firewall rules to limit inter‑container communication so that a compromised container cannot reach unrelated data paths on the host filesystem.

Generated by OpenCVE AI on June 18, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x9f6-9rvm-mmrg vantage6 node has an Improper Access Control issue
History

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Vantage6
Vantage6 vantage6
Vendors & Products Vantage6
Vantage6 vantage6

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, malicious algorithms can potentially access other algorithms input and output files. Version 5.0.0 fixes the issue. As a workaround, verify and restrict the algorithm containers that are allowed to run on the node.
Title vantage6 node has an Improper Access Control issue
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Vantage6 Vantage6
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T12:36:58.300Z

Reserved: 2026-06-15T18:40:01.652Z

Link: CVE-2026-54533

cve-icon Vulnrichment

Updated: 2026-06-18T12:36:53.818Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:15:04Z

Weaknesses