CVE-2026-10800: PaddlePaddle FastDeploy Weak Hash Vulnerability
PaddlePaddle FastDeploy versions up to 2.4.1 contain a weakness in how the MultimodalHasher component generates hashes for multimodal features. An attacker with local system access and user-level privileges could manipulate the hash_features function to use cryptographically weak hashing, potentially allowing them to forge or predict hash values. This is a low-severity issue that requires both local access and significant technical effort to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.6 LOW · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-327, CWE-328
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in PaddlePaddle FastDeploy up to 2.4.1. Affected by this issue is the function hash_features of the file fastdeploy/multimodal/hasher.py of the component MultimodalHasher. Executing a manipulation can lead to use of weak hash. The attack requires local access. A high complexity level is associated with this attack. The exploitation is known to be difficult. This patch is called 374945747652a8d32965591c0c01a00c88b7067f. Applying a patch is advised to resolve this issue.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in fastdeploy/multimodal/hasher.py, specifically in the hash_features function of the MultimodalHasher component. The weakness allows use of insufficient hash algorithms (CWE-327) and weak cryptographic mechanisms (CWE-328) that do not provide adequate collision resistance or preimage resistance. An attacker must have local system access and user-level permissions to trigger the vulnerability. The high attack complexity indicates that exploitation requires detailed understanding of the hashing implementation and careful manipulation of input conditions. The patch identified as 374945747652a8d32965591c0c01a00c88b7067f addresses the underlying cryptographic deficiency.
Business impact
The business impact is limited due to the requirement for local access and elevated complexity. However, in environments where untrusted users share compute resources—such as shared ML training clusters or containerized deployment platforms—a malicious local user could compromise the integrity of multimodal feature hashes. This could enable hash collisions leading to incorrect feature matching in ML pipelines, potentially corrupting model outputs or enabling data poisoning attacks on training workflows. Organizations running FastDeploy in multi-tenant environments should prioritize remediation over those using it in isolated, single-tenant deployments.
Affected systems
PaddlePaddle FastDeploy up to and including version 2.4.1 is affected. The vulnerability is specific to the MultimodalHasher component, so only deployments using multimodal feature hashing are at risk. Users of FastDeploy for other purposes (computer vision, NLP without multimodal features) should verify whether their installation includes or depends on the affected component.
Exploitability
The CVSS 3.1 score of 3.6 (LOW severity) reflects limited exploitability. Exploitation requires: (1) local system access, (2) user-level privileges or higher, (3) high technical complexity to craft inputs that meaningfully manipulate hash output, and (4) knowledge of the hashing algorithm implementation details. The vulnerability is not remotely exploitable and does not appear on CISA's Known Exploited Vulnerabilities catalog, indicating no active weaponized exploitation in the wild. However, once the patch is public, motivated attackers in multi-tenant environments may develop practical exploits.
Remediation
Apply the available patch (commit 374945747652a8d32965591c0c01a00c88b7067f or verify the corresponding release version against the official PaddlePaddle FastDeploy repository). If immediate patching is not feasible, restrict local system access to trusted users only, implement kernel-level access controls to prevent local privilege escalation, and consider deploying FastDeploy in isolated, single-tenant containers or VMs where multi-user scenarios are eliminated.
Patch guidance
Obtain the patch from the official PaddlePaddle FastDeploy GitHub repository or release channel. Verify that the patch commit (374945747652a8d32965591c0c01a00c88b7067f) is present in your deployed version. Test the patched version in a non-production environment to confirm that multimodal hashing functionality remains correct and that no regressions are introduced. Update deployment documentation to reflect the new version, and communicate the patch to all teams running FastDeploy.
Detection guidance
Monitor for local user accounts accessing fastdeploy/multimodal/hasher.py or calling hash_features with unusual or repeated inputs. Log attempts to load or inspect hash implementations at runtime. Verify the integrity of the hasher.py file by comparing its checksum against the official release. Implement file-access controls to alert on modifications to the multimodal hashing component. For ML pipeline monitoring, watch for unexpected hash collisions or mismatches in downstream feature matching that might indicate hash manipulation.
Why prioritize this
This vulnerability should be addressed during normal patching cycles but does not require emergency remediation unless your organization operates a multi-tenant ML platform or shared FastDeploy infrastructure. The combination of local-access requirement, user-privilege requirement, high attack complexity, and lack of known exploits means the real-world risk in most single-tenant or air-gapped deployments is minimal. Prioritize it below remote code execution and authentication bypass vulnerabilities, but include it in your standard quarterly or bimonthly patch windows.
Risk score, explained
The CVSS 3.1 score of 3.6 reflects a low-severity vulnerability because: (1) Attack Vector is Local (AV:L)—no remote exploitation possible; (2) Attack Complexity is High (AC:H)—requires significant technical effort and deep knowledge; (3) Privileges Required is Low (PR:L)—only user-level access, not root; (4) Integrity and Availability impacts are Low (I:L, A:L)—hash manipulation causes limited harm compared to confidentiality breaches or data destruction. The vulnerability presents a secondary or tertiary risk in most threat models unless hash integrity is critical to your ML pipelines.
Frequently asked questions
Do we need to patch if we use FastDeploy for computer vision only?
Most likely not, unless your deployment explicitly includes or depends on the MultimodalHasher component. Review your FastDeploy build configuration and dependency list to confirm. If you do not use multimodal features (text + image hashing together), this vulnerability does not affect you. However, patching as part of routine updates is still recommended for defense-in-depth.
What is the practical impact of weak hashing in multimodal feature matching?
Weak hashing can lead to hash collisions where different features produce the same hash, or to predictable hash values that an attacker can forge. In ML pipelines, this could cause legitimate features to be mismatched or poisoned features to be accepted as authentic. The severity depends on whether your model retraining or inference decisions depend on the integrity of these hashes.
Is this vulnerability exploitable remotely or only locally?
Exploitation requires local system access and user-level or higher privileges. Remote exploitation is not possible. The attacker must already have a foothold on the system, making this a post-compromise or insider-threat risk rather than a primary attack vector.
How do we know if an attacker has exploited this vulnerability?
Indicators include: repeated local calls to hash_features with crafted or unusual inputs, unexpected hash collisions in your multimodal feature logs, mismatches between expected and actual hash values, and file modifications to hasher.py. Enable logging at the application and OS kernel level to detect suspicious access patterns.
This analysis is provided for informational purposes and does not constitute legal or compliance advice. SEC.co does not warrant the accuracy, completeness, or timeliness of this content. Organizations must verify all technical details, patch availability, and version numbers against official vendor advisories and release notes before taking action. Patch version numbers and commit hashes referenced should be validated against the official PaddlePaddle FastDeploy GitHub repository. Organizations are responsible for assessing their own risk posture and determining appropriate remediation timelines. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10766LOWMLRun DataFrame Hash Weakness (CVSS 3.6)
- CVE-2026-10783LOWWeak Hash in Gradio Audio Cache – Risk Assessment & Patching Guide
- CVE-2026-10801LOWWeak Hash in ModelScope ms-swift PIL Image Cache
- CVE-2026-10803LOWMLflow Weak Hash Vulnerability in Dataset Digest Computation
- CVE-2026-10804LOWStreamlit Weak Hashing Vulnerability in Palette Handler (CVSS 3.6)
- CVE-2026-10812LOWGPTCache Weak Hash Vulnerability in Cache Key Handler (CVSS 3.6)
- CVE-2026-10813LOWLMCache Weak Hash Vulnerability in KV Cache Handler
- CVE-2026-10814MEDIUMWeak Hash Implementation in Milvus Grantee ID Handler