PatchSiren cyber security CVE debrief
CVE-2026-15605 wandb CVE debrief
A security vulnerability has been detected in wandb 0.25.2.dev1, specifically in the ArtifactManifestEntry.download function within the wandb/sdk/lib/hashutil.py file, which is part of the Artifact Integrity Validation component. The issue involves the use of a weak hash. The attack may be initiated remotely, but a high degree of complexity is needed, and exploitability is considered difficult. A pull request to fix this issue is awaiting acceptance. This vulnerability has a CVSS score of 2.3, indicating low severity.
- Vendor
- wandb
- Product
- wandb
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of wandb 0.25.2.dev1 who rely on Artifact Integrity Validation should be aware of this vulnerability and monitor for a fix. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their systems and plan for mitigation.
Technical summary
The vulnerability is in the ArtifactManifestEntry.download function in wandb/sdk/lib/hashutil.py. It involves the use of a weak hash for Artifact Integrity Validation. The CVSS score is 2.3, indicating a low severity. The attack vector is network-based, and the attack complexity is high. Users should review the official advisory for detailed technical information and mitigation strategies. This includes verifying affected product deployments, reviewing official advisories, planning vendor-supported updates, and checking relevant logs for exposed assets. Additionally, consider compensating controls for Artifact Integrity Validation and monitor for the acceptance of the pull request to fix the issue.
Defensive priority
Low priority due to the high complexity and low CVSS score. However, users should still monitor for a fix and consider compensating controls.
Recommended defensive actions
- Inventory checks for wandb 0.25.2.dev1 usage
- Monitoring for the acceptance of the pull request to fix the issue
- Consider compensating controls for Artifact Integrity Validation
- Review official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
Evidence is limited; primary official records indicate a vulnerability in wandb 0.25.2.dev1. Verification of affected scope and vendor remediation status is needed. The CVE record was published on 2026-07-13T23:16:45.383Z and has not been modified since. Additional verification tasks are required to confirm the affected systems and to monitor for a fix.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T23:16:45.383Z and has not been modified since.