Weak Hash Vulnerability in DataFrame Hash Handler of mlrun by the Vendor
CVE-2026-10766

2LOW

Key Information:

Vendor

mlrun

Status
Mlrun
Vendor
CVE Published:
3 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-10766?

A vulnerability has been identified in the mlrun product, specifically affecting the DataFrame Hash Handler. This issue arises within the function mlrun.utils.helpers.calculate_dataframe_hash, where a weak hash function is utilized. The exploit requires local access, resulting in a higher complexity level for potential attackers. Although the exploit has been publicly disclosed, the fix is currently pending acceptance in the development lifecycle. It is crucial for users to be aware of this vulnerability, as it poses risks to data integrity.

Affected Version(s)

mlrun 1.12.0-rc1

mlrun 1.12.0-rc2

mlrun 1.12.0-rc3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-10766 - Proof of Concept

References

https://vuldb.com/vuln/368136
vdb-entrytechnical-description
https://vuldb.com/vuln/368136/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-10766
third-party-advisory

CVSS V4

Score:
2
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dem0 (VulDB User)
VulDB CNA Team
.