PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2614 mlflow CVE debrief

CVE-2026-2614 is a high-severity vulnerability in mlflow/mlflow that allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. The issue arises in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier. An attacker can exploit this by including the tag `mlflow.prompt.is_prompt` in a `CreateModelVersion` request, bypassing source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.

Vendor
mlflow
Product
mlflow/mlflow
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-11
Original CVE updated
2026-07-02
Advisory published
2026-05-11
Advisory updated
2026-07-02

Who should care

Users of mlflow/mlflow versions 3.9.0 and earlier should be aware of this vulnerability and take immediate action to protect their systems. This includes upgrading to version 3.10.0 or applying the necessary patches. Additionally, users should monitor their systems for any suspicious activity and implement compensating controls to prevent exploitation.

Technical summary

The vulnerability in mlflow/mlflow arises from a flawed validation mechanism in the `_create_model_version()` handler of `mlflow/server/handlers.py`. By including the tag `mlflow.prompt.is_prompt` in a `CreateModelVersion` request, an unauthenticated remote attacker can bypass source path validation and store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function then uses this source to serve files without verifying the model version's prompt status, allowing for a complete confidentiality compromise.

Defensive priority

High

Recommended defensive actions

  • Upgrade to mlflow/mlflow version 3.10.0 or later
  • Apply the necessary patches to fix the vulnerability
  • Monitor systems for suspicious activity
  • Implement compensating controls to prevent exploitation
  • Conduct regular inventory checks to ensure all systems are up-to-date

Evidence notes

The CVE record was published on 2026-05-11T20:25:41.423Z and was last modified on 2026-07-02T12:17:02.460Z. The NVD entry is currently Modified. The vulnerability has a CVSS score of 7.5 and a severity of High.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-11T20:25:41.423Z and has not been modified since then. The NVD entry is currently Modified.