Skip to main content

Mlflow Mlflow CVE-2025-15036

| EUVDEUVD-2025-209119 CRITICAL
Path Traversal: '\\..\\filename' (CWE-29)
2026-03-30 @huntr_ai GHSA-vhcx-3pq2-4fvc
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Red Hat
9.6 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 28, 2026 - 14:37 vuln.today
cvss_changed
CVSS changed
Apr 28, 2026 - 14:37 NVD
9.6 (CRITICAL) 10.0 (CRITICAL)
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 30, 2026 - 01:45 euvd
EUVD-2025-209119
Analysis Generated
Mar 30, 2026 - 01:45 vuln.today
CVE Published
Mar 30, 2026 - 01:16 nvd
CRITICAL 9.6

DescriptionNVD

A path traversal vulnerability exists in the extract_archive_to_dir function within the mlflow/pyfunc/dbconnect_artifact_cache.py file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.

AnalysisAI

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitrary files and potentially escape sandbox isolation via malicious archive uploads. The vulnerability affects the extract_archive_to_dir function which fails to validate tar member paths during extraction. Exploitation requires user interaction (CVSS UI:R) but needs no authentication (PR:N). EPSS data not provided, but no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Public exploit code exists via Huntr bounty disclosure.

Technical ContextAI

This vulnerability affects MLflow (cpe:2.3:a:mlflow:mlflow/mlflow), an open-source platform for managing machine learning lifecycle. The flaw resides in the extract_archive_to_dir function within mlflow/pyfunc/dbconnect_artifact_cache.py, which handles artifact extraction from tar.gz archives. The root cause is CWE-29 (Path Traversal: '..\filename'), where insufficient validation of tar member paths allows directory traversal sequences. When MLflow processes user-supplied tar.gz files, an attacker can craft malicious archives containing paths like '../../etc/passwd' or similar traversal patterns. During extraction, these paths are not sanitized, allowing files to be written outside the intended extraction directory. This is particularly dangerous in multi-tenant MLflow deployments or shared cluster environments where sandbox isolation is critical for security boundaries.

RemediationAI

Vendor-released patch: MLflow version 3.7.0. Organizations should immediately upgrade to MLflow 3.7.0 or later, which includes the fix implemented in commit 3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346 (available at https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346). The patch implements proper validation of tar member paths to prevent directory traversal during archive extraction. Upgrade can typically be performed via pip install --upgrade mlflow>=3.7.0. For environments where immediate patching is not feasible, implement network-level controls to restrict who can upload artifacts to MLflow servers, enforce strict input validation on tar.gz files before they reach MLflow, and consider running MLflow in isolated containers with restricted filesystem permissions to limit the impact of successful exploitation. Review audit logs for suspicious artifact uploads or unusual file system access patterns that might indicate exploitation attempts. In multi-tenant environments, evaluate whether additional sandbox hardening or process isolation is needed beyond the MLflow application layer.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

CVE-2025-15381 HIGH
7.1 Mar 27

MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated

Vendor StatusVendor

Share

CVE-2025-15036 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy