PatchSiren

mlflow CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW MLflow CVE published 2026-06-04

CVE-2026-10803

A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult.

CRITICAL mlflow CVE published 2026-05-25

CVE-2026-2651

A critical authorization bypass vulnerability in MLflow's multipart upload (MPU) endpoints allows authenticated attackers to overwrite artifacts belonging to other users when `--serve-artifacts` mode is enabled. The flaw stems from missing resource-level permission checks on `/mlflow-artifacts/mpu/*` endpoints, enabling cross-user write access. This can result in model supply chain poisoning and arbitrary [truncated]

MEDIUM mlflow CVE published 2026-05-21

CVE-2026-2734

CVE-2026-2734 is an information-disclosure issue in MLflow versions up to 3.9.0. When basic authentication is enabled, the REST `SearchModelVersions` endpoint and the `mlflowSearchModelVersions` GraphQL query do not enforce the expected per-model authorization checks, allowing an authenticated user to enumerate model versions across all registered models. The exposed metadata can include model names, vers [truncated]

CRITICAL mlflow CVE published 2026-05-19

CVE-2026-2611

CVE-2026-2611 is a critical remote attack surface issue in MLflow Assistant where improper origin validation on /ajax-api endpoints can let a malicious webpage interact with the Assistant on a victim’s local machine. According to the published description, this can bypass the intended loopback-only restriction, change Assistant configuration, and lead to arbitrary command execution through the Claude Code [truncated]

HIGH mlflow CVE published 2026-05-18

CVE-2026-4137

## Summary CVE-2026-4137 is a **HIGH** severity (CVSS 7.0) local privilege escalation vulnerability in MLflow versions prior to 3.11.0. The vulnerability stems from insecure temporary directory permissions that allow local attackers to tamper with model artifacts and achieve arbitrary code execution through deserialization attacks. ## Technical Analysis The vulnerability exists in two functions within the [truncated]

CRITICAL mlflow CVE published 2026-03-30

CVE-2025-15036

CVE-2025-15036 is a critical path traversal vulnerability in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arb [truncated]

HIGH mlflow CVE published 2026-03-27

CVE-2025-15381

CVE-2025-15381 is a high-severity vulnerability in the mlflow/mlflow project. When the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for traces they should not have access to. The vulnerability impacts conf [truncated]

CRITICAL mlflow CVE published 2026-03-18

CVE-2025-15031

CVE-2025-15031 is a critical vulnerability in MLflow's pyfunc extraction process. The issue arises from the use of `tarfile.extractall` without path validation, enabling crafted tar.gz files to escape the intended extraction directory. This can lead to arbitrary file overwrites and potential remote code execution. The vulnerability affects the latest version of MLflow and poses a high/critical risk, espec [truncated]

HIGH MLflow CVE published 2026-02-20

CVE-2026-2635

CVE-2026-2635 is a high-severity vulnerability in MLflow, a popular open-source platform for managing the end-to-end machine learning lifecycle. The vulnerability, with a CVSS score of 7.3, allows remote attackers to bypass authentication on affected installations of MLflow. The flaw exists within the basic_auth.ini file, which contains hard-coded default credentials. An attacker can leverage this vulnera [truncated]

HIGH MLflow CVE published 2026-02-20

CVE-2026-2033

CVE-2026-2033 is a high-severity vulnerability in MLflow Tracking Server, allowing remote code execution via directory traversal. The vulnerability exists in the handling of artifact file paths, where user-supplied paths are not properly validated before use in file operations. This allows remote attackers to execute arbitrary code on affected installations without requiring authentication. The vulnerabil [truncated]