Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability has been found in mlrun up to 1.12.0-rc3. This impacts the function mlrun.utils.helpers.calculate_dataframe_hash of the file mlrun/utils/helpers.py of the component DataFrame Hash Handler. The manipulation leads to use of weak hash. The attack can only be performed from a local environment. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
AnalysisAI
SHA-1 hash collisions in mlrun's DataFrame Hash Handler allow a local authenticated user to corrupt dataset artifact integrity in ML pipelines up to version 1.12.0-rc3. The calculate_dataframe_hash function in mlrun/utils/helpers.py uses SHA-1 over raw pandas hash bytes without encoding type or schema information, meaning structurally distinct DataFrames - differing only in column dtype (e.g., bool vs int, int8 vs int64, datetime64[ns] vs int64) - produce identical hashes. Publicly available exploit code exists (disclosed via GitHub issue #9691 and PR #9692 with concrete collision test cases); no active exploitation is confirmed in CISA KEV.
Technical ContextAI
mlrun is an open-source MLOps framework for managing ML pipelines, experiments, and dataset artifacts. The vulnerable function calculate_dataframe_hash in mlrun/utils/helpers.py computes artifact identifiers using hashlib.sha1(pandas.util.hash_pandas_object(dataframe).values).hexdigest(). CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) applies for two compounding reasons: first, SHA-1 is cryptographically deprecated and collision-prone; second, the implementation feeds raw numpy byte arrays from pandas.util.hash_pandas_object directly into SHA-1 with no schema or dtype metadata, so pandas' internal hash function treats different dtypes identically at the byte level. The PR #9692 fix replaces SHA-1 with SHA-256 and introduces schema-aware hashing that encodes column names, dtypes, dtype reprs, and index structure as a JSON schema prefix before hashing values - closing both the algorithm weakness and the type-confusion collision path. No CPE string is provided in available data.
RemediationAI
No vendor-released patched version has been confirmed at time of analysis - the fix is pending acceptance via GitHub pull request #9692 (https://github.com/mlrun/mlrun/pull/9692). Users should monitor that PR for merge and apply the resulting release once available. As a compensating control, operators running mlrun pipelines with dataset artifact deduplication should avoid workflows where DataFrames sharing identical raw values but differing dtypes (e.g., boolean vs integer columns, int8 vs int64, datetime64[ns] vs int64) are registered as artifacts - these are the documented collision patterns. There is no in-place workaround to replace the SHA-1 implementation without applying the patch, as the function is internal to the framework. Organizations with strict ML reproducibility requirements may consider pinning to a release once PR #9692 is merged and tagged.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34177
GHSA-phx2-3w66-h4pw