Home

Description

A vulnerability was determined in AkariAsai self-rag up to 1fcdc420e48f50a7d7ab1ece5494221b93252e99. Affected by this issue is the function Indexer.deserialize_from of the file retrieval_lm/src/index.py of the component retrieval_lm. Executing a manipulation of the argument index_meta.faiss can lead to deserialization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

PUBLISHED Reserved 2026-07-12 | Published 2026-07-13 | Updated 2026-07-13 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Deserialization

Improper Input Validation

Product status

1fcdc420e48f50a7d7ab1ece5494221b93252e99
affected

Timeline

2026-07-12:Advisory disclosed
2026-07-12:VulDB entry created
2026-07-12:VulDB entry last update

Credits

Dem00000 (VulDB User) reporter

VulDB CNA Team coordinator

References

vuldb.com/vuln/377885 (VDB-377885 | AkariAsai self-rag retrieval_lm index.py Indexer.deserialize_from deserialization) vdb-entry technical-description

vuldb.com/vuln/377885/cti (VDB-377885 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-15535 (CVE-2026-15535 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/854999 (Submit #854999 | AkariAsai self-rag 1fcdc420e48f50a7d7ab1ece5494221b93252e99 Unsafe Deserialization / Integrity Bypass) third-party-advisory

github.com/AkariAsai/self-rag/issues/105 exploit issue-tracking

github.com/AkariAsai/self-rag/pull/106 issue-tracking patch

github.com/AkariAsai/self-rag/ product

cve.org (CVE-2026-15535)

nvd.nist.gov (CVE-2026-15535)

Download JSON