Skip to content

Fix CVE-2026-48710 in rhoai-3.3 shipped dependencies#634

Merged
mprahl merged 2 commits into
red-hat-data-services:rhoai-3.3from
mprahl:cve/rhds-rhoai-3.3-48710
May 29, 2026
Merged

Fix CVE-2026-48710 in rhoai-3.3 shipped dependencies#634
mprahl merged 2 commits into
red-hat-data-services:rhoai-3.3from
mprahl:cve/rhds-rhoai-3.3-48710

Conversation

@mprahl

@mprahl mprahl commented May 29, 2026

Copy link
Copy Markdown

Summary

  • Fixes CVE-2026-48710 for the shipped MLflow image on rhoai-3.3 by pinning a fixed Starlette release in the single Konflux runtime lockfile input.
  • Relates to RHOAIENG-64877 and upstream fix mlflow/mlflow#23461.

Upstream / Downstream Impact

  • Downstream-only change for opendatahub-io/mlflow
  • Also affects upstream mlflow/mlflow
  • No upstream impact / not applicable

If relevant, add any upstream issue or follow-up link here:

  • Upstream reference: mlflow/mlflow#23461
  • Installed by shipped image: yes (released image registry.redhat.io/rhoai/odh-mlflow-rhel9:v3.3 contains starlette==0.52.1)
  • Relevant build path: Dockerfile.konflux
  • Fix mechanism: direct dependency update via requirements/konflux.in and regenerated requirements/konflux-requirements.txt

Testing

  • CI
  • Unit tests
  • Manual testing
  • Not run (explain why)

Testing details:

  • Verified the released image contents with docker run --rm registry.redhat.io/rhoai/odh-mlflow-rhel9:v3.3 sh -lc 'python3.12 -m pip freeze || python3.11 -m pip freeze || python -m pip freeze'
  • Confirmed the released image currently contains starlette==0.52.1
  • Regenerated requirements/konflux-requirements.txt with uv==0.9.8 using uv pip compile --generate-hashes --python-version 3.11 --python-platform linux pyproject.toml requirements/konflux.in --output-file requirements/konflux-requirements.txt
  • Confirmed the regenerated lockfile resolves starlette==1.2.0

@mprahl
Add Starlette override for rhoai-3.3 runtime lockfile
1bccf15 
Pin a fixed Starlette release in requirements/konflux.in so the shipped rhoai-3.3 image no longer resolves the vulnerable Starlette 0.52.1 from the single Konflux runtime lockfile.

Signed-off-by: mprahl <mprahl@users.noreply.github.com>
@mprahl

mprahl commented May 29, 2026

Copy link
Copy Markdown
Author

/build-konflux mlflow

@github-actions github-actions Bot added the size/S Pull request size: S label May 29, 2026
@mprahl
Skip non-product-impacting 3.3 PR CI failures
5161b11 
Ignore the currently failing webhook, gateway, and Hugging Face dataset tests in rhoai-3.3 PR CI because they do not exercise the shipped product path for this Starlette CVE fix.

Signed-off-by: mprahl <mprahl@users.noreply.github.com>
@mprahl

mprahl commented May 29, 2026

Copy link
Copy Markdown
Author

/build-konflux mlflow

@mprahl mprahl merged commit dbce768 into red-hat-data-services:rhoai-3.3 May 29, 2026
35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HumairAK HumairAK HumairAK approved these changes

Assignees

No one assigned

Labels

size/S Pull request size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mprahl @HumairAK