LOW 3.6

CVE-2026-10801: Weak Hash in ModelScope ms-swift PIL Image Cache

A weakness in how ModelScope's ms-swift library (versions up to 4.2.0) hashes cached PIL images creates a local integrity risk. An attacker with local system access and user-level privileges could manipulate image cache validation, potentially leading to cache poisoning or image substitution. The vulnerability requires significant technical effort to exploit and poses limited immediate threat in most environments, but should be addressed before deployment in sensitive workflows.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.6 LOW · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Weaknesses (CWE)
CWE-327, CWE-328
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in modelscope ms-swift up to 4.2.0. This affects the function Template._save_pil_image of the file swift/template/base.py of the component PIL Image Cache Key Handler. The manipulation leads to use of weak hash. An attack has to be approached locally. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10801 involves improper cryptographic hashing in the Template._save_pil_image function within swift/template/base.py. The component responsible for managing PIL image cache keys uses weak or inadequate hash functions (CWE-327, CWE-328), allowing an attacker to forge or manipulate cache entries. The vulnerability is constrained by local-only attack vector, high attack complexity, and requirement for local user privileges, making real-world exploitation difficult despite public disclosure of the issue.

Business impact

For teams using ms-swift in data preparation or model development pipelines, this vulnerability introduces subtle integrity risks—specifically the potential for undetected image substitution during preprocessing. While the CVSS score of 3.6 reflects low overall severity, the impact manifests as loss of data integrity rather than confidentiality or availability. This is particularly relevant in computer vision workflows where cache manipulation could silently alter training or evaluation datasets.

Affected systems

ModelScope ms-swift library versions up to and including 4.2.0 are affected. The vulnerability is specific to the PIL image caching mechanism and impacts any system using ms-swift for image handling. It does not affect other modelscope components or unrelated libraries. Organizations should inventory ms-swift usage across development, research, and production environments to determine exposure scope.

Exploitability

Exploitation requires local system access, existing user-level privileges, and high technical complexity. The attacker must understand the cache structure, hash generation logic, and image serialization format to successfully forge a malicious cache entry. Public disclosure exists, but the combination of high attack complexity and access requirements keeps real-world exploitation likelihood low. Most cloud and containerized deployments with proper isolation provide inherent protection.

Remediation

Update ms-swift to a version that resolves the weak hash implementation. A pull request addressing the issue is pending acceptance by the maintainers. Monitor the ModelScope GitHub repository for the next patched release and apply it to affected systems. Until a patch is available, restrict local system access to trusted users only and consider implementing file integrity monitoring on cache directories.

Patch guidance

Check the ModelScope ms-swift GitHub repository for an available security patch version beyond 4.2.0. When a fix is released, verify the release notes confirm that Template._save_pil_image hash functions have been updated to use cryptographically strong algorithms. Test the patched version in a development environment with your image processing workflows before production deployment. If no patch is yet available, consider pinning ms-swift to 4.2.0 and implementing compensating controls rather than upgrading to untested alternatives.

Detection guidance

Monitor file access patterns in ms-swift cache directories (typically .cache or .ms_cache locations) for unexpected modifications by non-owner processes. Implement file integrity monitoring on serialized PIL image cache files to detect unauthorized tampering. Log local system authentication and privilege escalation attempts. If using ms-swift in automated pipelines, validate image checksums before and after cache operations using a separate cryptographic hash function independent of the cache mechanism.

Why prioritize this

Assign this vulnerability low priority in most environments due to the local-only attack vector, user-level privilege requirement, and high technical complexity. However, increase priority if ms-swift processes untrusted or sensitive image data, if your threat model includes insider threats with local access, or if cache directories reside on shared multi-user systems. Development and research environments merit faster remediation than production due to ease of patching.

Risk score, explained

The CVSS 3.1 score of 3.6 (LOW) reflects the combination of local attack vector (AV:L), high attack complexity (AC:H), and low-privilege requirement (PR:L), which together substantially limit exploitability. The integrity impact (I:L) and availability impact (A:L) indicate only partial compromise of affected functions. The overall profile suggests the vulnerability is of concern primarily to defenders of systems with active insider threat or where cache integrity is critical to operations.

Frequently asked questions

Do we need to patch immediately if we use ms-swift?

Not necessarily. Assess whether your use case processes sensitive image data and whether your systems have local multi-user access. If ms-swift runs in isolated containers or processes non-critical images, patch during your next maintenance cycle. If you process sensitive data or have shared system access, prioritize patching once a fix becomes available.

What is the difference between this weak hash issue and standard password hashing vulnerabilities?

This vulnerability affects cache validation, not authentication. An attacker cannot gain unauthorized access via this flaw. Instead, they can forge or swap cached images if they already have local system access—a much narrower threat model. The weak hash weakens integrity verification, not access control.

Will updating ms-swift break our existing code?

Patch versions typically preserve backward compatibility. Once a security patch for the hashing mechanism is released, it should not require changes to calling code. However, always test patches in a staging environment with your actual workflows before deploying to production.

How do we know if our systems have been compromised via this vulnerability?

Cache tampering leaves subtle signals: image output inconsistencies, unexpected variation in model predictions for identical inputs, or file modification timestamps on cache files that don't match access patterns. Implement integrity checks on cached images and monitor logs for unusual local process activity targeting cache directories.

This analysis is provided for informational purposes and does not constitute professional security advice. CVSS scoring, affected versions, and KEV status reflect data current as of the analysis date. Verify all patch information and guidance against official ModelScope advisories before implementation. Organizations should conduct their own risk assessment based on their specific deployment, threat model, and data sensitivity. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and shall not be liable for any decisions made in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).