CVE-2026-11466: Zilliz deep-searcher Access Control Bypass – CVSS 5.4
Zilliz's deep-searcher library contains an access control vulnerability in its collection routing logic. An authenticated attacker can manipulate function arguments to bypass intended restrictions, gaining unauthorized read access to data or causing service disruption. The issue affects versions up to 0.0.2, and exploit code is now publicly available, raising the risk of opportunistic attacks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
- Weaknesses (CWE)
- CWE-266, CWE-284
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-07 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in zilliztech deep-searcher up to 0.0.2. This affects the function CollectionRouter.invoke of the file deepsearcher/agent/collection_router.py. This manipulation of the argument kwargs causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11466 is an improper access control flaw in the CollectionRouter.invoke method within deepsearcher/agent/collection_router.py. The vulnerability stems from insufficient validation of the kwargs parameter, allowing authenticated users to circumvent authorization checks (CWE-266, CWE-284). Remote exploitation requires valid credentials but no additional privileges or user interaction. Zilliz has prepared a fix via pull request, though it remains pending acceptance.
Business impact
Organizations deploying deep-searcher face potential data exposure and service availability risks. Authenticated insiders or compromised user accounts can read sensitive collections or trigger errors that degrade search functionality. In environments where deep-searcher indexes proprietary documents, vector data, or search indices, unauthorized access could expose competitive information or personal data. The moderate CVSS score (5.4) reflects the authentication requirement, but public exploit availability accelerates real-world threat probability.
Affected systems
Zilliz deep-searcher versions up to and including 0.0.2 are vulnerable. No other vendors or products have been identified in the advisory. Organizations should verify their deep-searcher version against release notes and dependency manifests. Early-stage projects and development environments using this library warrant immediate attention given the public exploit status.
Exploitability
Exploitation requires valid authentication credentials and low complexity—an attacker with legitimate user access can craft malicious kwargs to invoke CollectionRouter methods outside their intended scope. The public availability of exploit code removes the barrier to weaponization, meaning this is not a theoretical concern. The absence of CISA KEV listing does not diminish the threat given the combination of public proof-of-concept and modest authentication hurdles in many organizations.
Remediation
Upgrade deep-searcher to a patched version once released and tested. Zilliz's fix is currently under review; monitor their repository and security advisories for an official release. In the interim, apply the following mitigations: restrict deep-searcher API access via network segmentation or authentication gateways, audit access logs for suspicious CollectionRouter invocations, and review user permissions to minimize the number of accounts with search privileges.
Patch guidance
Wait for Zilliz to merge and release the pending fix. Once available, verify the patch version against the official Zilliz releases (GitHub or package registry). Test thoroughly in a staging environment before production rollout, especially if deep-searcher is embedded in critical search or retrieval pipelines. Confirm that the patched version validates kwargs appropriately and enforces collection-level access policies.
Detection guidance
Monitor logs for CollectionRouter.invoke calls that include unexpected or malformed kwargs parameters. Look for patterns where authenticated users access collections outside their stated permissions or query scopes. If deep-searcher exposes metrics or debugging endpoints, alert on unusual method invocations or exception spikes. Network detection should flag unexpected internal API calls to collection-routing services from accounts with minimal search activity.
Why prioritize this
Although CVSS is moderate (5.4), several factors warrant elevated priority: public exploit availability, ease of exploitation for authenticated users, and potential data exposure in environments storing sensitive embeddings or documents. Organizations with strict data governance or that handle regulated information should treat this as high priority. DevOps and platform teams should patch as soon as verified releases are available.
Risk score, explained
CVSS 5.4 (Medium) reflects a network-accessible vulnerability requiring valid authentication and delivering confidentiality and availability impact with no integrity risk. The vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L indicates low attack complexity and no privilege escalation needed. However, the public exploit availability and the library's role in AI/ML pipelines suggest operational risk may exceed the base score in real-world deployments.
Frequently asked questions
Do we need to wait for an official patch, or can we build from the pull request?
Building from an unmerged PR introduces integration and testing risk. Best practice is to monitor Zilliz's official releases and security announcements for a formal patch version. Attempting a custom build from the PR may introduce inconsistencies and complicate future updates. Apply interim mitigations (access controls, monitoring) until an official release is available.
Does this vulnerability allow unauthenticated access?
No. The CVSS vector and advisory confirm that valid authentication is required. An attacker must possess legitimate user credentials or compromise an account first. However, in organizations with permissive user onboarding or shared credentials, this barrier may be lower than expected.
Is deep-searcher widely used, and what is the real-world risk?
Deep-searcher is part of the Zilliz ecosystem (vector database and search tools) and is gaining adoption in AI/ML and semantic search applications. Risk depends on your use case: if deep-searcher is exposed to untrusted user populations or handles sensitive embeddings, prioritize patching. For internal-only or low-stakes search tasks, interim mitigations may suffice while awaiting a release.
What should we log or monitor to detect exploitation?
Focus on CollectionRouter method invocations with unusual or missing authorization context. Monitor for access patterns that violate expected permission boundaries (e.g., users querying collections they should not see). If available, enable detailed logging of kwargs parameters and cross-reference with user privileges. Alert on exception spikes that suggest failed or retry-based exploitation attempts.
This analysis is based on the CVE-2026-11466 advisory published on 2026-06-07 and last modified on 2026-06-17. No CVSS score, patch version, or remediation availability should be considered definitive until verified against the official Zilliz security advisory and repository. Organizations are responsible for assessing their own dependency versions, testing patches in staging environments, and determining risk tolerance in their specific context. This page does not constitute legal, compliance, or procurement advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-11532MEDIUMImproper Access Control in imvks786 Student Management System
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation