CVE-2026-10804
Analyzed Analyzed - Analysis Complete
Weak Hashing in Streamlit up to 1.53.0

Publication date: 2026-06-04

Last updated on: 2026-06-10

Assigner: VulDB

Description
A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation leads to use of weak hash. Local access is required to approach this attack. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-10
Generated
2026-06-16
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-10804
EUVD
EUVD-2026-34246
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
snowflake streamlit to 1.53.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10804 describes two distinct hash collision vulnerabilities in Streamlit's caching system that can cause incorrect or stale data to be returned without any error.

The first vulnerability involves a deterministic sampling seed in the _to_bytes() function within hashing.py, which affects large Pandas Series/DataFrames, Polars Series/DataFrames, and NumPy arrays. When these data structures exceed a certain size, a fixed subset of rows or elements is sampled for hashing using a hardcoded seed value of 0. This predictable sampling allows an attacker to craft two different inputs that produce the same hash by modifying only the non-sampled positions.

The second vulnerability affects PIL P-mode images (mode="P"), where the palette color information is omitted during hashing. Since tobytes() only returns pixel indices and not the actual color palette, two visually distinct images with different palettes but identical pixel data will produce the same hash. This can lead to incorrect cached images being served, such as manipulated charts appearing identical to the original.

Both vulnerabilities allow cache poisoning or incorrect data to be served, impacting all user sessions in the case of @st.cache_resource.

Impact Analysis

This vulnerability can lead to cache poisoning where an attacker replaces legitimate cached data with malicious or incorrect content for all users sharing the cache.

Specifically, for large data structures like Pandas, Polars, and NumPy arrays, an attacker can craft inputs that produce identical hashes, causing stale or incorrect data to be returned.

For PIL P-mode images, visually different images with different palettes but identical pixel data can be treated as the same, resulting in incorrect images being served.

Overall, this can cause data integrity issues, misleading outputs, and potentially undermine trust in the application using Streamlit's caching.

Detection Guidance

This vulnerability involves hash collisions in Streamlit's caching system affecting large pandas, polars, numpy objects, and PIL P-mode images. Detection would require inspecting the behavior of cached data in Streamlit applications, especially looking for incorrect or stale data being returned without errors.

Since the vulnerability requires local access and is related to the internal hashing mechanism of Streamlit's cache, network-based detection commands are not applicable.

To detect potential exploitation or presence of the vulnerability, you could monitor Streamlit application logs for unexpected cache hits or stale data returns, but no specific commands are provided in the resources.

Mitigation Strategies

Immediate mitigation steps include updating Streamlit to a version that includes the fix for this vulnerability once the pull request is accepted and released.

The fix involves replacing fixed sampling seeds with data-dependent seeds in the hashing functions and ensuring PIL P-mode images include palette bytes in their hash to prevent collisions.

Until the fix is released, consider limiting local access to the Streamlit environment to trusted users only, as the attack requires local access and has high complexity.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart