Description
A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation leads to use of weak hash. Local access is required to approach this attack. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
Published: 2026-06-04
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Streamlit's internal caching layer, specifically the Palette handler used by hashing functions. By using a weak hash algorithm, an attacker with local system access can craft inputs that collide, potentially overriding cached data or bypassing expected behavior. This could degrade data integrity or allow subtle manipulation of the application state. The weakness corresponds to CWE-327 and CWE-328, indicating the use of weak cryptographic algorithms.

Affected Systems

Streamlit library versions up to 1.53.0 are affected. Any deployment running Streamlit 1.53.0 or earlier, regardless of operating system, is potentially vulnerable. The issue is confined to the internal caching component and does not extend to external network services.

Risk and Exploitability

The CVSS score of 2.0 labels the vulnerability as low severity. Exploitation requires local access and is difficult, and the issue has not been identified in the CISA KEV catalog. Consequently, the threat is limited to environments where an attacker can run or modify Streamlit processes locally, while remote attacks are unlikely. Administrators should monitor the Streamlit repository for a fix before considering any change to local user policies.

Generated by OpenCVE AI on June 4, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security fix bundled in the next Streamlit release once pull request #14635 is merged.
  • If the fix is not yet available, disable or reconfigure the internal caching mechanism that uses the Palette handler to avoid using the weak hash.
  • Restrict local system users who can run Streamlit applications to trusted accounts to reduce the risk of local tampering.

Generated by OpenCVE AI on June 4, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Snowflake
Snowflake streamlit
CPEs cpe:2.3:a:snowflake:streamlit:*:*:*:*:*:*:*:*
Vendors & Products Snowflake
Snowflake streamlit

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation leads to use of weak hash. Local access is required to approach this attack. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
Title Streamlit Palette hashing.py weak hash
First Time appeared Streamlit
Streamlit streamlit
Weaknesses CWE-327
CWE-328
CPEs cpe:2.3:a:streamlit:streamlit:*:*:*:*:*:*:*:*
Vendors & Products Streamlit
Streamlit streamlit
References
Metrics cvssV2_0

{'score': 2.4, 'vector': 'AV:L/AC:H/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 3.6, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Snowflake Streamlit
Streamlit Streamlit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-04T14:23:02.735Z

Reserved: 2026-06-04T05:09:57.527Z

Link: CVE-2026-10804

cve-icon Vulnrichment

Updated: 2026-06-04T14:22:57.796Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T12:16:24.620

Modified: 2026-06-10T17:47:27.803

Link: CVE-2026-10804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T16:00:15Z

Weaknesses
  • CWE-327

    Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328

    Use of Weak Hash