PatchSiren

Lfprojects CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Lfprojects CVE published 2026-05-15

CVE-2026-2652

CVE-2026-2652 is a high-severity authentication bypass in mlflow/mlflow. When MLflow is started with authentication enabled using `--app-name basic-auth` and served through uvicorn, the FastAPI permission middleware only protects `/gateway/` routes. Other routes, including the Job API and OpenTelemetry trace ingestion, can remain exposed without authentication. In practical terms, an unauthenticated remot [truncated]

HIGH Lfprojects CVE published 2026-03-16

CVE-2025-14287

CVE-2025-14287 is a command injection vulnerability in the mlflow/mlflow project, specifically affecting versions before v3.7.0. The vulnerability is located in the `mlflow/sagemaker/__init__.py` file at lines 161-167 and arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization. These commands are then executed using `os.system()`, allowin [truncated]