LOW 3.6

CVE-2026-10766: MLRun DataFrame Hash Weakness (CVSS 3.6)

MLRun versions up to 1.12.0-rc3 contain a weakness in how they hash dataframes. The vulnerable function in mlrun/utils/helpers.py uses cryptographic methods that are considered inadequate for security purposes. An attacker with local access to a system running MLRun could potentially manipulate or forge data integrity checks, though doing so requires significant technical effort and local privileges. The vulnerability is not currently listed as actively exploited in the wild, but proof-of-concept details have been publicly disclosed.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.6 LOW · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Weaknesses (CWE)
CWE-327, CWE-328
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

A vulnerability has been found in mlrun up to 1.12.0-rc3. This impacts the function mlrun.utils.helpers.calculate_dataframe_hash of the file mlrun/utils/helpers.py of the component DataFrame Hash Handler. The manipulation leads to use of weak hash. The attack can only be performed from a local environment. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10766 affects the calculate_dataframe_hash function within MLRun's helper utilities. The issue stems from reliance on weak or deprecated cryptographic hash algorithms (CWE-327: Use of Broken or Risky Cryptographic Algorithm) combined with improper hash validation logic (CWE-328: Use of Insufficiently Random Values). The vulnerability requires local access (AV:L), high attack complexity (AC:H), and low privileges (PR:L), meaning an authenticated local user must invest considerable effort to exploit it. The impact is limited to integrity degradation and potential availability disruption rather than confidentiality breach.

Business impact

For organizations using MLRun in data processing pipelines, this vulnerability could undermine data integrity controls. If an attacker exploits weak hash collision or forgery, they might cause MLRun to accept tampered dataframes as valid, leading to corrupted analytics, incorrect model training, or poisoned downstream outputs. The risk is primarily relevant in multi-tenant or shared-infrastructure scenarios where local access can be obtained. Most isolated, single-user deployments face minimal practical risk given the high attack complexity and privilege requirements.

Affected systems

MLRun versions through 1.12.0-rc3 are vulnerable. The issue resides specifically in the DataFrame Hash Handler component. Verify your MLRun installation version against the official MLRun releases. Importantly, no vendor product information was available in advisory databases at the time of publication, so check the MLRun project repository and release notes for clarification on affected versions and any interim mitigations.

Exploitability

Public exploit details exist, but actual exploitation remains difficult in practice. An attacker must already possess local system access and valid authentication credentials to interact with MLRun. The attack complexity is rated high, reflecting the non-trivial effort required to craft a collision or forge a valid hash under the weak algorithm. The scenario requiring both local presence and authenticated status significantly constrains real-world attack surfaces in typical cloud or SaaS deployments.

Remediation

Upgrade MLRun to a version newer than 1.12.0-rc3 once a stable patch is released. A pull request addressing this issue is currently pending acceptance into the codebase. Monitor the official MLRun GitHub repository for the merge and subsequent release. Until a patch is available, restrict local access to MLRun systems and apply principle of least privilege to accounts that interact with DataFrame operations.

Patch guidance

Watch the MLRun project repository and release notifications for a version that incorporates the pending pull request. When released, test the patched version in a non-production environment to verify compatibility with your data pipelines and configurations. Given the low severity rating, patching can typically be scheduled during standard maintenance windows rather than treated as emergency remediation. Coordinate upgrade timing with any downstream systems that depend on MLRun's hashing behavior to avoid unexpected validation changes.

Detection guidance

Monitor for calls to calculate_dataframe_hash with unusual or repeated parameter variations, which could indicate hash collision attempts. Log authentication and local access to systems running MLRun, especially from service accounts or non-standard users. Implement file integrity monitoring on mlrun/utils/helpers.py to detect unauthorized modifications. In data processing logs, watch for unexpected dataframe validation failures or acceptance of previously rejected data, which might signal exploitation attempts.

Why prioritize this

Despite public disclosure, this vulnerability merits medium-term but not immediate action. The CVSS 3.1 score of 3.6 (LOW severity) reflects the requirement for local access, high attack complexity, and limited impact scope. Prioritize patching if: (1) your MLRun deployment is on shared or multi-tenant infrastructure where local access is feasible, (2) dataframe integrity is critical to downstream compliance or model accuracy, or (3) you maintain strict vulnerability thresholds. Isolated, single-user research or development instances can defer patching until a stable release cycle.

Risk score, explained

The CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L vector produces a score of 3.6. Local attack vector (AV:L) and required privileges (PR:L) sharply restrict the threat model. High attack complexity (AC:H) means only skilled attackers with specific knowledge can succeed. The absence of confidentiality impact (C:N) and presence of only minor integrity and availability impacts (I:L, A:L) keep severity low. This is appropriate for a weak hashing issue that requires authentication and local presence to exploit.

Frequently asked questions

Should we patch this immediately, or can we defer?

Deferral is reasonable for most deployments. If your MLRun instance runs on shared infrastructure where untrusted users have local shell access, prioritize patching sooner. For isolated research or single-user setups, scheduling it in a regular maintenance cycle is acceptable. Monitor the MLRun project for patch availability.

What is the actual impact if someone exploits this?

The attacker could potentially forge or collide dataframe hashes, causing MLRun to accept tampered data as valid. This degrades data integrity controls but does not leak sensitive information. In worst case, corrupted dataframes propagate through analytics or model training, leading to incorrect insights or poisoned models.

Does this affect MLRun running in a container or cloud-managed service?

If the service is fully managed and you do not have local shell access, your risk is minimal. If you operate containers on shared Kubernetes nodes or EC2 instances where other users can obtain shell access, the local attack vector becomes relevant. Verify your deployment architecture and access controls.

What should we monitor while waiting for a patch?

Track logs for repeated dataframe validation errors, unexpected hash collisions, or successful validations of previously rejected data. Monitor local access attempts to MLRun systems, especially from service or utility accounts. Implement basic file integrity checks on the helpers.py component.

This analysis is provided for informational purposes. No guarantees are made regarding the accuracy, completeness, or timeliness of vulnerability details. Always verify CVSS scores, patch versions, and affected product lists against official vendor advisories and the CVE database before making remediation decisions. Patch availability and version information referenced here should be cross-checked with MLRun's official repository and release notes. Organizations should conduct their own risk assessment based on their specific deployment, access controls, and data criticality before prioritizing patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).