CVE-2026-15605 in wandbinfo

Summary

by MITRE • 07/14/2026

A security vulnerability has been detected in wandb 0.25.2.dev1. Affected is the function ArtifactManifestEntry.download in the library wandb/sdk/lib/hashutil.py of the component Artifact Integrity Validation. The manipulation leads to use of weak hash. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The pull request to fix this issue awaits acceptance.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability in wandb version 0.25.2.dev1 represents a critical weakness in the artifact integrity validation mechanism that could compromise the security of machine learning workflows. This flaw exists within the ArtifactManifestEntry.download function located in wandb/sdk/lib/hashutil.py, which is responsible for verifying the integrity of downloaded artifacts during the machine learning experiment tracking process. The issue stems from the use of weak cryptographic hash functions that fail to provide adequate protection against collision attacks and other cryptographic weaknesses.

The technical implementation of this vulnerability involves the utilization of insufficiently strong hashing algorithms that do not meet modern security standards for integrity verification. When an artifact is downloaded through the wandb platform, the system should employ robust cryptographic hashes such as SHA-256 or SHA-3 to ensure data integrity. However, the current implementation appears to rely on weaker alternatives that could potentially be exploited by adversaries to create malicious artifacts that appear legitimate while containing harmful content. This weakness directly violates security principles outlined in cwe-327, which addresses the use of weak cryptographic algorithms.

The operational impact of this vulnerability extends beyond simple data integrity concerns to potentially enable sophisticated attacks within machine learning environments where trust in artifact provenance is paramount. Remote exploitation becomes possible when attackers can influence the download process or manipulate network traffic between the client and wandb servers. The attack complexity required suggests that adversaries would need specialized knowledge and resources to successfully exploit this weakness, making it a moderately high-risk vulnerability that requires immediate attention.

The difficulty of exploitation does not diminish the severity of this issue, as attackers with sufficient resources could potentially craft malicious artifacts that bypass integrity checks through hash collisions or other cryptographic attacks. The fact that a pull request exists to address this issue indicates that the maintainers recognize the vulnerability's significance, but the delay in acceptance creates an extended window of exposure for users of affected versions. This vulnerability particularly impacts organizations relying on wandb for experiment tracking and artifact management where the integrity of machine learning models and datasets is critical.

Organizations should implement immediate mitigations including upgrading to patched versions of wandb, monitoring for unusual artifact download patterns, and potentially implementing additional verification layers beyond the default hash validation. The vulnerability also highlights the importance of cryptographic best practices in security-critical applications and aligns with ATT&CK technique T1552.001 which addresses credentials theft through manipulation of files and data. System administrators should consider implementing network monitoring to detect potential exploitation attempts and ensure that all wandb installations are updated to versions containing the fix for this cryptographic weakness.

Responsible

VulDB

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!