What is the CVSS score of CVE-2025-14279?

CVE-2025-14279 has a CVSS 3.0 base score of 8.1 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Mlflow are affected by CVE-2025-14279?

CVE-2025-14279 presents notable security risk rated CVSS 8.1. Successful exploitation could significantly impact the confidentiality, integrity, or availability of affected systems.. A patch is available.

How to fix or mitigate CVE-2025-14279?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Monitor vendor channels for patch availability.

Mlflow CVE-2025-14279

HIGH

Origin Validation Error (CWE-346)

2026-01-12 security@huntr.dev

GHSA-pgqp-8h46-6x4j

Authentication Bypass Mlflow

8.1

CVSS 3.0 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 12, 2026 - 09:15 nvd

HIGH 8.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 pypi packages depend on mlflow (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.5.0.

DescriptionCVE.org

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.

AnalysisAI

Technical ContextAI

Classified as CWE-346 (Origin Validation Error). MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.

RemediationAI

Fixed in version 3.5.0.. Restrict network access to the affected service where possible.

CVE-2025-14279 vulnerability details – vuln.today

Back