Description
A vulnerability has been found in mlrun up to 1.12.0-rc3. This impacts the function mlrun.utils.helpers.calculate_dataframe_hash of the file mlrun/utils/helpers.py of the component DataFrame Hash Handler. The manipulation leads to use of weak hash. The attack can only be performed from a local environment. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
Published: 2026-06-03
Score: 2 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the mlrun.utils.helpers.calculate_dataframe_hash function in mlrun’s DataFrame Hash Handler, where a weak hash algorithm is employed. This flaw enables an attacker to craft input that may produce hash collisions, undermining the integrity checks that rely on these hashes. While the description suggests that the exploit is complex and difficult, the use of an insecure hash could still allow a local adversary to bypass integrity verification or substitute data without detection.

Affected Systems

mlrun versions up to 1.12.0-rc3 are affected. The vulnerability is confined to environments where mlrun is installed locally, and no remote attack vector is documented.

Risk and Exploitability

The CVSS score of 2.0 categorizes the risk as low and the EPSS score is unavailable, indicating limited public exploitation data. The exploit is limited to a local environment, requires high complexity, and is noted as difficult to execute. It is not listed in the CISA KEV catalog, further reducing the immediate threat level, but the weakness presents a long‑term concern for data integrity should the hash function be relied upon for security-critical decisions.

Generated by OpenCVE AI on June 3, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mlrun to the latest release that incorporates the fix for the weak hash issue (for example, 1.12.0-rc4 or later).
  • If an upgrade is not immediately possible, disable the DataFrame hash functionality or restrict its use to trusted, local contexts to prevent potential hash collision exploitation.
  • Continuously monitor mlrun security advisories and the GitHub issue/PR (9692) for updates confirming the merge and apply the patch as soon as it becomes available.

Generated by OpenCVE AI on June 3, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in mlrun up to 1.12.0-rc3. This impacts the function mlrun.utils.helpers.calculate_dataframe_hash of the file mlrun/utils/helpers.py of the component DataFrame Hash Handler. The manipulation leads to use of weak hash. The attack can only be performed from a local environment. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
Title mlrun DataFrame Hash helpers.py mlrun.utils.helpers.calculate_dataframe_hash weak hash
First Time appeared Mlrun
Mlrun mlrun
Weaknesses CWE-327
CWE-328
CPEs cpe:2.3:a:mlrun:mlrun:*:*:*:*:*:*:*:*
Vendors & Products Mlrun
Mlrun mlrun
References
Metrics cvssV2_0

{'score': 2.4, 'vector': 'AV:L/AC:H/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.6, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Mlrun Mlrun
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-03T20:00:11.168Z

Reserved: 2026-06-03T15:40:30.561Z

Link: CVE-2026-10766

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T20:16:18.463

Modified: 2026-06-03T20:16:18.463

Link: CVE-2026-10766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T21:30:32Z

Weaknesses