PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10803 MLflow CVE debrief

A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult.

Vendor
MLflow
Product
MLflow
CVSS
LOW 1.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-04
Advisory published
2026-06-04
Advisory updated
2026-06-04

Who should care

Users of MLflow up to version 3.10.0 should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by the use of a weak hash in the mlflow.data.digest_utils function of the mlflow/data/digest_utils.py file. This could allow an attacker to launch an attack on the local host with high complexity and difficult exploitability.

Defensive priority

The CVSS score for this vulnerability is 1.1, indicating a low severity.

Recommended defensive actions

  • Users should update MLflow to a version beyond 3.10.0 to mitigate this vulnerability.
  • Users can refer to [ref-5](https://github.com/mlflow/mlflow/issues/22419) for mitigation and issue tracking.

Evidence notes

The project was informed of the problem early through a pull request but has not reacted yet.

Official resources

CVE-2026-10803 was published on 2026-06-04T12:16:24.440Z and modified on 2026-06-04T18:24:41.013Z.