CVE-2026-10803
published 2026-06-04CVE-2026-10803: A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component…
PriorityP416low3.6CVSS 3.1
AVLACHPRLUINSUCNILAL
EPSS
0.10%
1.2th percentile
A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | <= 3.10.0 | — |
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-th06-cpu-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-cuda130-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-rocm64-torch291-py312-rhel9 | — | — |
| rhoai | odh-training-cuda128-torch29-py312-rhel9 | — | — |
| rhoai | odh-workbench-codeserver-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-datascience-cpu-py312-rhel9 | — | — |
CVSS provenance
nvdv3.13.6LOWCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
nvdv4.01.1LOWCVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.02.4LOWAV:L/AC:H/Au:S/C:N/I:P/A:P
vendor_redhat3.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mlflow: MLflow: Use of weak hash in Dataset Digest Computation
vendor_redhat·2026-06-04·CVSS 3.6
CVE-2026-10803 [LOW] CWE-328 mlflow: MLflow: Use of weak hash in Dataset Digest Computation
mlflow: MLflow: Use of weak hash in Dataset Digest Computation
A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
A flaw was found in MLflow. This vulnerability stems from the use of a weak hash algorithm within the Dataset Digest Computation component. A local attacker could potentially exploit this weakness, which may impa
GHSA
A flaw has been found in MLflow up to 3.10.0.
ghsa_unreviewed·2026-06-04
CVE-2026-10803 [LOW] CWE-327 A flaw has been found in MLflow up to 3.10.0.
A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
No detection rules found.
No public exploits indexed.
2026-06-04
Published