cbcvebase.
CVE-2026-10803
published 2026-06-04

CVE-2026-10803: A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component…

PriorityP416low3.6CVSS 3.1
AVLACHPRLUINSUCNILAL
EPSS
0.10%
1.2th percentile
A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
lfprojectsmlflow<= 3.10.0
lfprojectsmlflow
lfprojectsmlflow
lfprojectsmlflow
lfprojectsmlflow
lfprojectsmlflow
lfprojectsmlflow
lfprojectsmlflow
lfprojectsmlflow
lfprojectsmlflow
lfprojectsmlflow
lfprojectsmlflow
rhoaiodh-mlflow-rhel9
rhoaiodh-pipeline-runtime-datascience-cpu-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-rocm-py312-rhel9
rhoaiodh-pipeline-runtime-tensorflow-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-tensorflow-rocm-py312-rhel9
rhoaiodh-th06-cpu-torch210-py312-rhel9
rhoaiodh-th06-cuda130-torch210-py312-rhel9
rhoaiodh-th06-rocm64-torch291-py312-rhel9
rhoaiodh-training-cuda128-torch29-py312-rhel9
rhoaiodh-workbench-codeserver-datascience-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-datascience-cpu-py312-rhel9

CVSS provenance

nvdv3.13.6LOWCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
nvdv4.01.1LOWCVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.02.4LOWAV:L/AC:H/Au:S/C:N/I:P/A:P
vendor_redhat3.6LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.