PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15605 wandb CVE debrief

A security vulnerability has been detected in wandb 0.25.2.dev1, specifically in the ArtifactManifestEntry.download function within the wandb/sdk/lib/hashutil.py file, which is part of the Artifact Integrity Validation component. The issue involves the use of a weak hash. The attack may be initiated remotely, but a high degree of complexity is needed, and exploitability is considered difficult. A pull request to fix this issue is awaiting acceptance. This vulnerability has a CVSS score of 2.3, indicating low severity.

Vendor
wandb
Product
wandb
CVSS
LOW 2.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of wandb 0.25.2.dev1 who rely on Artifact Integrity Validation should be aware of this vulnerability and monitor for a fix. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their systems and plan for mitigation.

Technical summary

The vulnerability is in the ArtifactManifestEntry.download function in wandb/sdk/lib/hashutil.py. It involves the use of a weak hash for Artifact Integrity Validation. The CVSS score is 2.3, indicating a low severity. The attack vector is network-based, and the attack complexity is high. Users should review the official advisory for detailed technical information and mitigation strategies. This includes verifying affected product deployments, reviewing official advisories, planning vendor-supported updates, and checking relevant logs for exposed assets. Additionally, consider compensating controls for Artifact Integrity Validation and monitor for the acceptance of the pull request to fix the issue.

Defensive priority

Low priority due to the high complexity and low CVSS score. However, users should still monitor for a fix and consider compensating controls.

Recommended defensive actions

  • Inventory checks for wandb 0.25.2.dev1 usage
  • Monitoring for the acceptance of the pull request to fix the issue
  • Consider compensating controls for Artifact Integrity Validation
  • Review official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

Evidence is limited; primary official records indicate a vulnerability in wandb 0.25.2.dev1. Verification of affected scope and vendor remediation status is needed. The CVE record was published on 2026-07-13T23:16:45.383Z and has not been modified since. Additional verification tasks are required to confirm the affected systems and to monitor for a fix.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T23:16:45.383Z and has not been modified since.