SCA: security update for mlflow (GHSA-5qmp-p3c4-72qj)

low Tenable Self-Hosted Container Security Plugin ID 444746

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of
the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes
use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have
high complexity. The exploitability is assessed as difficult. The exploit has been published and may be
used. The project was informed of the problem early through a pull request but has not reacted yet.
(CVE-2026-10803)

Solution

Update the mlflow library and its related packages to version 3.10.1 or later.

See Also

https://github.com/advisories/GHSA-5qmp-p3c4-72qj

Plugin Details

Severity: Low

ID: 444746

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/15/2026

Updated: 7/15/2026

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.74

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 2.4

Temporal Score: 1.9

Vector: CVSS2#AV:L/AC:H/Au:S/C:N/I:P/A:P

CVSS Score Source: CVE-2026-10803

CVSS v3

Risk Factor: Low

Base Score: 3.6

Temporal Score: 3.3

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2

Threat Score: 1.1

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/4/2026

Vulnerability Publication Date: 6/4/2026

Reference Information

CVE: CVE-2026-10803

cwe: CWE-327