CVE-2026-10804 Overview
CVE-2026-10804 affects Streamlit versions up to 1.53.0. The vulnerability resides in the lib/streamlit/runtime/caching/hashing.py module, specifically within the Palette Handler component. The flaw involves the use of a weak hash algorithm [CWE-327], which can undermine the integrity guarantees expected from cryptographic primitives.
Exploitation requires local access and high attack complexity, limiting practical attack scenarios. The exploit details have been disclosed publicly, while the pull request addressing this issue remains pending acceptance upstream.
Critical Impact
Local attackers with low privileges can target weak hashing logic in the Streamlit caching subsystem, potentially affecting integrity and availability of cached objects.
Affected Products
- Streamlit versions up to and including 1.53.0
- lib/streamlit/runtime/caching/hashing.py module
- Palette Handler component within Streamlit runtime caching
Discovery Timeline
- 2026-06-04 - CVE-2026-10804 published to the National Vulnerability Database (NVD)
- 2026-06-04 - Last updated in NVD database
Technical Details for CVE-2026-10804
Vulnerability Analysis
The vulnerability resides in Streamlit's caching subsystem, which uses hashing to identify cached objects and detect changes. The Palette Handler within hashing.py relies on a weak hash algorithm that does not provide collision resistance suitable for security-sensitive contexts.
Weak hash functions allow an attacker to craft inputs that produce identical hash outputs. In the context of Streamlit caching, this could enable cache key collisions or undermine integrity assumptions made by downstream code paths. The flaw is categorized as [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
Exploitation requires local access to the host running the Streamlit application and a low privilege account. The attack complexity is high because the attacker must produce a meaningful collision against the targeted handler.
Root Cause
The hashing.py module implements identity hashing for cache entries using an algorithm not designed to resist adversarial collisions. The Palette Handler inherits this behavior when computing hash representations of palette objects, leaving the caching logic exposed to manipulation.
Attack Vector
An attacker with local, low-privileged access to a system running a vulnerable Streamlit version can craft inputs that target the Palette Handler hashing path. Successful manipulation may influence cached object resolution within the Streamlit runtime. Remote exploitation is not feasible because the attack vector is restricted to local access.
No public proof-of-concept code has been verified against this CVE. See the GitHub Issue #14622 and GitHub Pull Request #14635 for technical context.
Detection Methods for CVE-2026-10804
Indicators of Compromise
- Unexpected cache hits or stale palette objects served by Streamlit applications
- Anomalous local process activity targeting Python processes running Streamlit
- Modifications to files under the Streamlit runtime caching directory by non-administrative users
Detection Strategies
- Inventory all Streamlit deployments and identify hosts running versions at or below 1.53.0
- Audit local user activity on hosts running Streamlit applications, focusing on interactions with the Python runtime and cache storage paths
- Review application logs for repeated cache misses or integrity errors originating from the caching subsystem
Monitoring Recommendations
- Monitor file integrity for lib/streamlit/runtime/caching/hashing.py and related caching modules in production deployments
- Track local logon events and privilege use on systems hosting Streamlit dashboards
- Enable verbose logging in Streamlit during investigation to capture cache key generation behavior
How to Mitigate CVE-2026-10804
Immediate Actions Required
- Restrict local access to systems running Streamlit to trusted administrators and authenticated users only
- Limit filesystem permissions on Streamlit cache directories to the service account that runs the application
- Track the upstream pull request and plan an upgrade window once a fixed Streamlit release is published
Patch Information
No official patched release is available at the time of publication. The fix is proposed in GitHub Pull Request #14635, which awaits acceptance by the Streamlit maintainers. Refer to the Streamlit Repository for release announcements and to VulDB CVE-2026-10804 for ongoing tracking.
Workarounds
- Run Streamlit applications under a dedicated low-privilege service account isolated from interactive users
- Disable or avoid relying on cached palette objects for security-sensitive decisions until the upstream patch is merged
- Apply host-level access controls and endpoint monitoring to limit who can interact with the Streamlit process locally
# Configuration example: restrict cache directory permissions
chown -R streamlit-svc:streamlit-svc /var/lib/streamlit/cache
chmod 700 /var/lib/streamlit/cache
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
