PatchSiren cyber security CVE debrief

CVE-2026-4137 mlflow CVE debrief

## Summary CVE-2026-4137 is a **HIGH** severity (CVSS 7.0) local privilege escalation vulnerability in MLflow versions prior to 3.11.0. The vulnerability stems from insecure temporary directory permissions that allow local attackers to tamper with model artifacts and achieve arbitrary code execution through deserialization attacks. ## Technical Analysis The vulnerability exists in two functions within the MLflow codebase: 1. **`get_or_create_nfs_tmp_dir()`** in `mlflow/utils/file_utils.py` creates temporary directories with **world-writable permissions (0o777)** 2. **`_create_model_downloading_tmp_dir()`** in `mlflow/pyfunc/__init__.py` creates directories with **group-writable permissions (0o770)** These insecure permissions enable local attackers to: - Modify model artifacts stored in these temporary directories - Tamper with `cloudpickle`-serialized Python objects - Execute arbitrary code when the compromised artifacts are deserialized via `cloudpickle.load()` ## Attack Scenario The attack vector is particularly severe in **shared NFS mount environments**, such as Databricks, where NFS is enabled by default. A local attacker with access to the shared filesystem can: 1. Identify MLflow temporary directories with weak permissions 2. Replace legitimate model artifacts with malicious `cloudpickle`-serialized payloads 3. Wait for or trigger deserialization of the tampered artifacts 4. Achieve arbitrary code execution in the context of the MLflow process ## Affected Versions - **MLflow versions prior to 3.11.0** are affected ## Remediation **Upgrade to MLflow 3.11.0 or later**, which contains the security fix. The patch commit addresses the insecure permission settings in both vulnerable functions. ## Context and Related Issues This vulnerability represents a **continuation of an incomplete fix** for CVE-2025-10279. The earlier CVE addressed similar permission issues but did not fully remediate the vulnerability class, leaving these specific code paths exploitable. ## CVSS Breakdown - **Attack Vector (AV):** Local - **Attack Complexity (AC):** High - **Privileges Required (PR):** Low - **User Interaction (UI):** None - **Scope (S):** Unchanged - **C

Vendor: mlflow
Product: mlflow/mlflow
CVSS: HIGH 7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-18
Original CVE updated: 2026-05-19
Advisory published: 2026-05-18
Advisory updated: 2026-05-19

Who should care

Organizations running MLflow versions prior to 3.11.0, particularly those with shared NFS infrastructure including Databricks environments. Data science teams, MLOps engineers, and security administrators responsible for ML model serving infrastructure should prioritize patching.

Technical summary

CVE-2026-4137 is a HIGH severity vulnerability in MLflow < 3.11.0 where `get_or_create_nfs_tmp_dir()` and `_create_model_downloading_tmp_dir()` create temporary directories with world-writable (0o777) and group-writable (0o770) permissions respectively. Local attackers can tamper with cloudpickle-serialized model artifacts in these directories to achieve arbitrary code execution upon deserialization. The vulnerability is especially critical in shared NFS environments like Databricks and represents an incomplete fix from CVE-2025-10279.

Defensive priority

HIGH

Recommended defensive actions

Upgrade MLflow to version 3.11.0 or later to remediate insecure temporary directory permissions
Audit shared NFS mount environments, particularly Databricks deployments, for MLflow installations prior to 3.11.0
Review and restrict local user access to MLflow runtime environments where upgrades cannot be immediately applied
Monitor for suspicious file modifications in MLflow temporary directories
Implement filesystem-level access controls on NFS mounts to limit cross-user directory access
Validate model artifact integrity through checksum verification before deserialization operations
Review security posture of cloudpickle deserialization workflows and consider sandboxing for untrusted model artifacts

Evidence notes

The vulnerability description indicates this is a continuation of CVE-2025-10279, which was only partially fixed. The insecure permissions (0o777 and 0o770) in temporary directory creation functions enable local attackers to tamper with cloudpickle-serialized model artifacts. The CVSS vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H confirms local attack vector with high impact on confidentiality, integrity, and availability.

Official resources

2026-05-18T21:16:40.710Z