Skip to main content

Mlflow Mlflow CVE-2025-15381

| EUVDEUVD-2025-209100 HIGH
Information Exposure (CWE-200)
2026-03-27 @huntr_ai GHSA-g6pg-52vf-843h
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Red Hat
8.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 14:37 vuln.today
cvss_changed
CVSS changed
Apr 28, 2026 - 14:37 NVD
8.1 (HIGH) 7.1 (HIGH)
EUVD ID Assigned
Mar 27, 2026 - 16:45 euvd
EUVD-2025-209100
Analysis Generated
Mar 27, 2026 - 16:45 vuln.today
CVE Published
Mar 27, 2026 - 16:17 nvd
HIGH 8.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on mlflow (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.8.1.

DescriptionNVD

In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NO_PERMISSIONS on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Deployments using mlflow server --app-name=basic-auth are affected.

AnalysisAI

MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated user with no experiment permissions to read trace metadata and create unauthorized assessments. The vulnerability affects MLflow deployments running with the '--app-name=basic-auth' flag and carries a CVSS score of 8.1 (High) with network-based attack vector requiring low privilege authentication. This vulnerability was reported via the HackerOne bug bounty platform (@huntr_ai) with no public exploit identified at time of analysis.

Technical ContextAI

MLflow is an open-source platform for managing machine learning lifecycle, including experimentation, reproducibility, and deployment. The affected component is the basic-auth application module, which implements permission-based access controls for experiment resources. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where specific API endpoints for tracing functionality and assessment creation bypass the permission validation layer. The CPE identifier (cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*) indicates broad version impact across the MLflow product line. Tracing endpoints expose metadata about ML experiment execution flows, while assessment endpoints allow annotation and evaluation of traces, both of which should be protected by the role-based access control system when basic-auth is enabled.

RemediationAI

Consult the HuntrDev bounty disclosure at https://huntr.com/bounties/149fb2f9-ef4b-4136-a25c-20563451904c for vendor-released patch information and specific version guidance. As an interim mitigation, implement network-layer access controls to restrict access to MLflow tracing and assessment API endpoints (/api/2.0/mlflow/traces/* and related assessment paths) to only trusted administrator IP ranges. Consider disabling the basic-auth application if multi-tenant permission enforcement is not required, or implement reverse proxy authentication with explicit endpoint-level authorization rules that enforce experiment-level permissions before proxying requests to MLflow. Review audit logs for any unauthorized trace reads or assessment creation activity by users lacking experiment permissions to identify potential exploitation. Organizations should subscribe to MLflow security advisories and monitor the GitHub repository for security-related commits addressing this permission bypass.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

Vendor StatusVendor

Share

CVE-2025-15381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy