<Vulnerability name="CVE-2026-15605">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-07-13T22:45:09</PublicDate>
    <Bugzilla id="2499859" url="https://bugzilla.redhat.com/show_bug.cgi?id=2499859" xml:lang="en:us">
wandb: wandb: Information disclosure due to weak hash in artifact integrity validation
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>3.1</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-328</CWE>
    <Details xml:lang="en:us" source="Mitre">
A security vulnerability has been detected in wandb 0.25.2.dev1. Affected is the function ArtifactManifestEntry.download in the library wandb/sdk/lib/hashutil.py of the component Artifact Integrity Validation. The manipulation leads to use of weak hash. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The pull request to fix this issue awaits acceptance.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in wandb. A remote attacker could exploit the use of a weak hash algorithm during artifact integrity validation in the `ArtifactManifestEntry.download` function. This could potentially lead to a low impact on confidentiality, allowing for limited information disclosure.
    </Details>
    <Statement xml:lang="en:us">
A Low impact vulnerability in wandb's artifact integrity validation, due to a weak hash algorithm, could lead to limited information disclosure. Exploitation by a remote attacker is complex and difficult, reducing the overall risk in typical Red Hat deployments.
    </Statement>
    <PackageState cpe="cpe:/a:redhat:exploit_intelligence:0">
        <ProductName>Exploit Intelligence</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>exploit-intelligence-tech-preview/vulnerability-analysis-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ai_inference_server:3">
        <ProductName>Red Hat AI Inference Server</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhaiis/vllm-cpu-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ai_inference_server:3">
        <ProductName>Red Hat AI Inference Server</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhaiis/vllm-tpu-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-15605
https://nvd.nist.gov/vuln/detail/CVE-2026-15605
https://github.com/wandb/wandb/
https://github.com/wandb/wandb/issues/12030
https://github.com/wandb/wandb/pull/12031
https://vuldb.com/cve/CVE-2026-15605
https://vuldb.com/submit/855675
https://vuldb.com/vuln/378114
https://vuldb.com/vuln/378114/cti
    </References>
</Vulnerability>