What is the CVSS score of CVE-2026-2614?

CVE-2026-2614 has a CVSS 3.0 base score of 7.5 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of MLflow are affected by CVE-2026-2614?

MLflow versions 3.9.0 and earlier contain a critical path traversal vulnerability that allows unauthenticated remote attackers to read arbitrary files from the server's filesystem.. A patch is available.

How to fix or mitigate CVE-2026-2614?

Within 24 hours: Identify all MLflow instances running versions 3.9.0 or earlier and document current version inventory. Within 7 days: Upgrade MLflow to version 3.10.0 or later, which patches the vulnerability by blocking file:// URIs and absolute paths in prompt sources. Within 30 days: Conduct a security audit to determine if this vulnerability was exploited (review CreateModelVersion API logs for suspicious requests with 'mlflow.prompt.is_prompt' tags and non-standard source paths), and assess what files may have been accessed.

MLflow CVE-2026-2614

EUVD-2026-29180 HIGH

Path Traversal (CWE-22)

2026-05-11 @huntr_ai

GHSA-42h5-h8qh-vv9v

Path Traversal

7.5

CVSS 3.0

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

May 11, 2026 - 20:02 EUVD

Source Code Evidence Fetched

May 11, 2026 - 19:46 vuln.today

Analysis Generated

May 11, 2026 - 19:46 vuln.today

CVE Published

May 11, 2026 - 19:02 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 pypi packages depend on mlflow (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.10.0.

DescriptionNVD

A vulnerability in the _create_model_version() handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag mlflow.prompt.is_prompt, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The get_model_version_artifact_handler() function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.

AnalysisAI

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier. By submitting a CreateModelVersion request with the tag 'mlflow.prompt.is_prompt' and an arbitrary local filesystem path as the source, attackers bypass validation logic. …

RemediationAI

Within 24 hours: Identify all MLflow instances running versions 3.9.0 or earlier and document current version inventory. Within 7 days: Upgrade MLflow to version 3.10.0 or later, which patches the vulnerability by blocking file:// URIs and absolute paths in prompt sources. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-2614 vulnerability details – vuln.today

Back

MLflow CVE-2026-2614

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code