LOW 3.6

CVE-2026-10803: MLflow Weak Hash Vulnerability in Dataset Digest Computation

MLflow versions up to 3.10.0 contain a cryptographic weakness in the Dataset Digest Computation module. The vulnerability uses an insufficiently strong hash function for dataset digest operations, which could allow an attacker with local system access and user-level privileges to tamper with dataset integrity checks or trigger application errors. Exploitation requires significant technical effort and local presence on the affected machine.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.6 LOW · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Weaknesses (CWE)
CWE-327, CWE-328
Affected products
1 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10803 is a weak cryptography vulnerability (CWE-327, CWE-328) in MLflow's mlflow/data/digest_utils.py module. The Dataset Digest Computation function employs an insufficiently strong hash algorithm, creating a collision or preimage risk under local attack conditions. The vulnerability requires local access (AV:L), high attack complexity (AC:H), and low-level user privileges (PR:L). While impact is limited to integrity (I) and availability (A) at LOW severity, the published exploit reduces the bar for reproducing the flaw. The MLflow project has not yet responded to early disclosure via pull request.

Business impact

For organizations relying on MLflow for model data governance, this vulnerability primarily threatens data integrity verification rather than confidentiality. Attackers with local system access could forge dataset digests, potentially corrupting provenance records, triggering false validation failures, or obscuring data lineage in machine learning pipelines. The practical risk is moderate because successful exploitation demands local system access, user-level privileges, and specialized knowledge. Environments using MLflow in air-gapped or tightly controlled development settings face lower risk; those sharing ML infrastructure across teams or enabling untrusted local access warrant closer attention.

Affected systems

MLflow versions 3.10.0 and earlier are affected. Organizations should audit their MLflow deployments to identify installed versions. The vulnerability is specific to the Dataset Digest Computation module; other MLflow functionality is not directly impacted. Systems running the affected versions on multi-user or shared-access systems face elevated risk.

Exploitability

Exploitation requires local system access, user-level authentication, and high technical complexity. An attacker must understand hash function weaknesses and the MLflow digest workflow to craft a meaningful collision or forged digest. A proof-of-concept exploit has been published, which may lower the barrier to entry for skilled attackers but does not make exploitation trivial. The attack surface is limited to local threat actors; remote exploitation is not feasible. The combination of access requirements and complexity places this vulnerability in the 'difficult' category despite public disclosure.

Remediation

Upgrade MLflow to a patched version released after 3.10.0 that addresses weak hash usage in digest_utils.py. Verify the specific patch version against the vendor advisory before deploying. In the interim, restrict local system access to MLflow hosts to trusted users and implement file integrity monitoring on dataset digest outputs to detect tampering. Review access control policies for multi-user ML infrastructure.

Patch guidance

Monitor the LF Projects MLflow repository and security advisories for an updated release that remediates the weak hash implementation in Dataset Digest Computation. Apply patches promptly to systems where multiple users access MLflow or where dataset integrity is critical to compliance workflows. Test patches in a non-production environment first, particularly if your pipelines depend on digest validation. Verify against the vendor advisory that the released version fully addresses CWE-327 and CWE-328 concerns.

Detection guidance

Enable audit logging on MLflow hosts to capture Dataset Digest Computation operations and monitor for unexpected modifications to digest metadata. Use file integrity monitoring (FIM) tools to alert on changes to digest_utils.py or cached digest outputs. Network and host-level anomaly detection should flag unusual patterns in local process access to MLflow data directories. In development environments, periodically verify dataset digest reproducibility to detect silent corruption. Review access logs for users with unusual privileges escalation patterns around dataset operations.

Why prioritize this

CVE-2026-10803 merits monitoring but does not demand emergency action for most organizations. The LOW CVSS score (3.6) reflects limited severity, and the high attack complexity combined with local-only access requirements significantly constrains real-world exploitation. However, prioritization should increase if your organization operates shared ML infrastructure with untrusted local users, relies on dataset digest integrity for compliance validation, or has published models that depend on dataset provenance assurance. Development teams actively using MLflow for model governance should plan an upgrade within a standard patch cycle once a fix is available.

Risk score, explained

The CVSS 3.1 score of 3.6 (LOW) reflects several mitigating factors: local-only attack vector (AV:L), high attack complexity (AC:H), and requirement for low-level user privileges (PR:L). Impact is limited to integrity and availability, with no confidentiality breach. While the weak hash cryptographic flaw is inherently serious in principle, the operational and access constraints prevent widespread exploitation. The published exploit code raises awareness but does not overcome the fundamental access and complexity barriers. Organizations with strict access controls and isolation between users face minimal practical risk.

Frequently asked questions

Do we need to patch immediately if we run MLflow in a single-user development environment?

Not urgently. Single-user or air-gapped environments have minimal attack surface because the vulnerability requires local system access and user-level privileges. However, you should plan to patch during your next regular maintenance window once a fix is available. If your development environment will later be expanded to multi-user access, prioritize patching before that transition.

Will this vulnerability affect our production ML model inference?

It depends on your architecture. If your production systems call MLflow only for metadata queries and do not rely on dataset digest validation for runtime decisions, the risk is low. If dataset digests are part of a critical validation or compliance chain in production, the integrity tampering risk is more material, and you should plan expedited patching and add additional integrity checks.

How does the published exploit affect our risk?

The published proof-of-concept demonstrates the weakness but does not make the attack effortless. Exploitation still requires local system access, authentication, and understanding of MLflow's internals. It primarily benefits researchers and sophisticated threat actors; the complexity remains high. However, it justifies adding this item to your patch-planning cycle rather than deferring indefinitely.

What should we do while waiting for a vendor patch?

Reduce local access to MLflow hosts by implementing principle of least privilege and removing unnecessary user accounts. Use host-based file integrity monitoring to detect tampering with digest outputs. Implement compensating controls such as periodic digest recomputation or checksumming of critical dataset metadata. Document which datasets are most sensitive to integrity concerns and prioritize those for enhanced monitoring.

This analysis is based on publicly available information as of the publication date. CVSS scores, affected product versions, and vulnerability status reflect the source data provided and may change as vendors release patches or new information emerges. Exploit code and technical details referenced are cited for awareness only; SEC.co does not provide weaponization guidance or step-by-step attack instructions. Organizations should verify patch availability and compatibility against their specific MLflow deployments and vendor advisories before implementing remediation. This analysis is intended for security professionals and does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).