Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in onnx onnx-mlir up to 0.5.0.0. Affected by this issue is the function generate_hash_key of the file src/Runtime/python/torch_onnxmlir/src/torch_onnxmlir/backend.py of the component Placeholder Node Cache Handler. Such manipulation leads to use of weak hash. An attack has to be approached locally. A high complexity level is associated with this attack. The exploitation is known to be difficult. The name of the patch is 72c5187ff6d13c2c2b3d3789b8f5faf99f08a5b4. Applying a patch is advised to resolve this issue.
AnalysisAI
Weak cache key construction in onnx-mlir's torch backend (versions up to 0.5.0.0) omits tensor data type (dtype) from placeholder node hash keys, enabling cache collisions between semantically distinct nodes. A locally authenticated attacker with high-complexity manipulation can cause the compiler to incorrectly reuse cached compilation results across mismatched dtypes, yielding low-integrity and low-availability impacts. No public exploit is identified at time of analysis; the upstream fix is confirmed via commit 72c5187 and PR #3427.
Technical ContextAI
onnx-mlir is a compiler toolchain that lowers ONNX model graphs to native machine code. The affected component is the torch_onnxmlir Python backend (src/Runtime/python/torch_onnxmlir/src/torch_onnxmlir/backend.py), where the generate_hash_key function constructs a cache key for placeholder nodes as f'om_placeholder_{placeholder_counter}_[{shape_str}]' - encoding only tensor shape, not dtype. CWE-328 (Use of Weak Hash) applies because this key omits a critical distinguishing attribute: two placeholder nodes with identical shapes but different data types (e.g., float32 vs. int64) hash to the same value. The fix in PR #3427 appends _{dtype} to produce f'om_placeholder_{placeholder_counter}_[{shape_str}]_{dtype}', making the key collision-resistant for differing dtypes. CPE cpe:2.3:a:onnx:onnx-mlir:*:*:*:*:*:*:*:* covers all versions through 0.5.0.0.
RemediationAI
Apply the upstream fix by incorporating commit 72c5187ff6d13c2c2b3d3789b8f5faf99f08a5b4, available via PR #3427 at https://github.com/onnx/onnx-mlir/pull/3427. The patch modifies generate_hash_key to append the tensor dtype to the placeholder cache key, eliminating collisions between same-shape, different-dtype nodes. An exact released tagged version incorporating this fix has not been independently confirmed from available intelligence - users should verify that their target release includes this specific commit before considering remediation complete. As a compensating control pending patch deployment, ML engineers compiling models with the torch_onnxmlir backend should avoid or disable placeholder node caching in workflows that involve multiple dtypes sharing identical tensor shapes; note this may degrade compilation performance. The official fix is the only fully effective remediation.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-328 – Use of Weak Hash
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34826
GHSA-h7gg-9w38-vh5g