Description
A weakness has been identified in PaddlePaddle FastDeploy up to 2.4.1. Affected by this issue is the function hash_features of the file fastdeploy/multimodal/hasher.py of the component MultimodalHasher. Executing a manipulation can lead to use of weak hash. The attack requires local access. A high complexity level is associated with this attack. The exploitation is known to be difficult. This patch is called 374945747652a8d32965591c0c01a00c88b7067f. Applying a patch is advised to resolve this issue.
Published: 2026-06-04
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the hash_features function of the MultimodalHasher component in PaddlePaddle FastDeploy. It uses a weak hashing algorithm that can lead to hash collisions, allowing an attacker to forge hash values and potentially undermine integrity checks. This weakness is classified as a use of weak cryptographic algorithm (CWE‑327) and inadequate encryption strength (CWE‑328).

Affected Systems

PaddlePaddle FastDeploy versions up to 2.4.1 are affected, specifically the MultimodalHasher component. Users of any of these versions should determine whether a newer release contains the fix.

Risk and Exploitability

The CVSS score of 2 signals a low impact. The weakness requires local access and has a high complexity level, making exploitation difficult. EPSS data is unavailable and the vulnerability is not listed in CISA's KEV catalog, resulting in a low likelihood of real‑world exploitation, though the weak hash remains a concern for data integrity.

Generated by OpenCVE AI on June 4, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PaddlePaddle FastDeploy to version 2.4.2 or later that contains the hash_features fix.
  • If a direct upgrade is not feasible, apply the patch commit 374945747652a8d32965591c0c01a00c88b7067f to the FastDeploy source or install the updated package.
  • Restart all services that rely on FastDeploy to complete the update.

Generated by OpenCVE AI on June 4, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in PaddlePaddle FastDeploy up to 2.4.1. Affected by this issue is the function hash_features of the file fastdeploy/multimodal/hasher.py of the component MultimodalHasher. Executing a manipulation can lead to use of weak hash. The attack requires local access. A high complexity level is associated with this attack. The exploitation is known to be difficult. This patch is called 374945747652a8d32965591c0c01a00c88b7067f. Applying a patch is advised to resolve this issue.
Title PaddlePaddle FastDeploy MultimodalHasher hasher.py hash_features weak hash
First Time appeared Paddlepaddle
Paddlepaddle fastdeploy
Weaknesses CWE-327
CWE-328
CPEs cpe:2.3:a:paddlepaddle:fastdeploy:*:*:*:*:*:*:*:*
Vendors & Products Paddlepaddle
Paddlepaddle fastdeploy
References
Metrics cvssV2_0

{'score': 2.4, 'vector': 'AV:L/AC:H/Au:S/C:N/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 3.6, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Paddlepaddle Fastdeploy
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-04T09:45:12.021Z

Reserved: 2026-06-04T04:57:09.234Z

Link: CVE-2026-10800

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T10:16:38.633

Modified: 2026-06-04T10:16:38.633

Link: CVE-2026-10800

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T11:30:12Z

Weaknesses