ms-swift: weak hash enables image cache poisoning — LOW (CVE-2026-10801)

CISO Take

CVE-2026-10801 is a weak hashing vulnerability (CWE-327/328) in ms-swift's PIL image cache key handler, affecting all versions up to 4.2.0 of this widely-used model fine-tuning framework. An attacker with local, low-privilege access could craft a PIL image that produces a hash collision with a legitimate cached training image, substituting it silently during fine-tuning runs — a subtle integrity attack against your ML pipeline. The overall risk is low (CVSS 3.6, AC:H, not in KEV, no public exploit), but the threat is relevant to teams fine-tuning multimodal models in shared compute environments where cache directories are accessible to multiple users or jobs. Monitor the upstream fix in PR #9359 for acceptance and patch once a release is cut; in the interim, disable the PIL image cache or restrict cache directory permissions to the training job owner.

Sources: NVD ATLAS

What is the risk?

Overall risk is LOW. CVSS 3.1 score of 3.6 reflects a local attack vector, high complexity, low-privilege requirement, and limited impact scope (no confidentiality impact; low integrity and availability). There is no active exploitation, no CISA KEV inclusion, no public exploit code, and EPSS data is not yet available. The risk becomes non-trivial only in multi-tenant or shared ML compute environments where untrusted local users can write to the same cache directory used by active fine-tuning jobs. Inference-only or non-multimodal deployments are unaffected.

Attack Kill Chain

Local Access

Attacker obtains low-privilege local access to a shared ML training server running ms-swift fine-tuning jobs.

AML.T0010.001

Hash Collision Crafting

Attacker reverse-engineers the weak hash function used by the PIL image cache and crafts an image that produces the same key as a legitimate training image.

AML.T0043

Cache Poisoning

Attacker writes the crafted image to the shared cache directory, replacing or preempting the legitimate cached entry before the next training run.

AML.T0020

Model Integrity Degradation

Fine-tuning pipeline silently consumes the malicious image, producing a model with subtly corrupted behavior that evades standard loss-curve monitoring.

Local Access

Attacker obtains low-privilege local access to a shared ML training server running ms-swift fine-tuning jobs.

AML.T0010.001

Hash Collision Crafting

Attacker reverse-engineers the weak hash function used by the PIL image cache and crafts an image that produces the same key as a legitimate training image.

AML.T0043

Cache Poisoning

Attacker writes the crafted image to the shared cache directory, replacing or preempting the legitimate cached entry before the next training run.

AML.T0020

Model Integrity Degradation

Fine-tuning pipeline silently consumes the malicious image, producing a model with subtly corrupted behavior that evades standard loss-curve monitoring.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
ms-swift	pip	—	No patch
14.3K 4 dependents Pushed 4d ago 25% patched ~84d to patch Full package profile →

Do you use ms-swift? You're affected.

Severity & Risk

CVSS 3.1

3.6 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Advanced

Attack Surface

AV Local

AC High

PR Low

UI None

S Unchanged

C None

I Low

A Low

What should I do?

5 steps

Upgrade ms-swift to a version beyond 4.2.0 once PR #9359 is merged and a patched release is published — monitor https://github.com/modelscope/ms-swift/releases.
As an immediate workaround, restrict write permissions on ms-swift's PIL image cache directory to the dedicated training service account, preventing untrusted local users from injecting colliding cache entries.
In shared GPU cluster environments, run fine-tuning jobs in isolated user namespaces or containers with private cache paths.
Audit training data pipelines for unexpected image substitutions by spot-checking cached image checksums against source hashes using a strong algorithm (SHA-256) before and after training runs.
Consider disabling the PIL image cache entirely for security-sensitive fine-tuning jobs until a patch is available.

Classification

Model Poisoning Supply Chain Training Data Framework AML.T0010.001 - AI Software AML.T0020 - Poison Training Data AML.T0043 - Craft Adversarial Data

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 10 - Data and data governance

ISO 42001

A.6.2 - Data quality and integrity for AI systems

NIST AI RMF

MEASURE 2.5 - Practices and personnel for AI risk measurement

Frequently Asked Questions

What is CVE-2026-10801?

CVE-2026-10801 is a weak hashing vulnerability (CWE-327/328) in ms-swift's PIL image cache key handler, affecting all versions up to 4.2.0 of this widely-used model fine-tuning framework. An attacker with local, low-privilege access could craft a PIL image that produces a hash collision with a legitimate cached training image, substituting it silently during fine-tuning runs — a subtle integrity attack against your ML pipeline. The overall risk is low (CVSS 3.6, AC:H, not in KEV, no public exploit), but the threat is relevant to teams fine-tuning multimodal models in shared compute environments where cache directories are accessible to multiple users or jobs. Monitor the upstream fix in PR #9359 for acceptance and patch once a release is cut; in the interim, disable the PIL image cache or restrict cache directory permissions to the training job owner.

Is CVE-2026-10801 actively exploited?

No confirmed active exploitation of CVE-2026-10801 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-10801?

1. Upgrade ms-swift to a version beyond 4.2.0 once PR #9359 is merged and a patched release is published — monitor https://github.com/modelscope/ms-swift/releases. 2. As an immediate workaround, restrict write permissions on ms-swift's PIL image cache directory to the dedicated training service account, preventing untrusted local users from injecting colliding cache entries. 3. In shared GPU cluster environments, run fine-tuning jobs in isolated user namespaces or containers with private cache paths. 4. Audit training data pipelines for unexpected image substitutions by spot-checking cached image checksums against source hashes using a strong algorithm (SHA-256) before and after training runs. 5. Consider disabling the PIL image cache entirely for security-sensitive fine-tuning jobs until a patch is available.

What systems are affected by CVE-2026-10801?

This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Model fine-tuning workflows, Multimodal ML pipelines.

What is the CVSS score for CVE-2026-10801?

CVE-2026-10801 has a CVSS v3.1 base score of 3.6 (LOW).

AI Security Impact

Affected AI Architectures

Training pipelinesModel fine-tuning workflowsMultimodal ML pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0020 Poison Training Data

AML.T0043 Craft Adversarial Data

Compliance Controls Affected

EU AI Act: Article 10

ISO 42001: A.6.2

NIST AI RMF: MEASURE 2.5

Technical Details

Original Advisory

A security vulnerability has been detected in modelscope ms-swift up to 4.2.0. This affects the function Template._save_pil_image of the file swift/template/base.py of the component PIL Image Cache Key Handler. The manipulation leads to use of weak hash. An attack has to be approached locally. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.

Exploitation Scenario

An attacker with a low-privilege shell on a shared ML training server identifies that ms-swift fine-tuning jobs are running. They inspect the PIL image cache directory — readable/writable by multiple users — and identify the weak hash function being used for cache key generation. Using offline preimage or collision tooling appropriate to the specific weak hash (e.g., MD5 or CRC-based), they craft a PIL image file that produces the same cache key as a high-value training image (e.g., a safety-relevant calibration image or a brand-recognition sample). They write the malicious image to the cache directory. When the next fine-tuning run starts, ms-swift's cache key handler resolves the cache hit and uses the attacker's image instead of the legitimate one, subtly biasing the resulting model. Because training loss curves may remain within normal bounds, the corruption goes undetected until downstream model evaluation reveals degraded or skewed behavior.