Skip to main content

MLflow CVE-2026-2614

| EUVDEUVD-2026-29180 HIGH
Path Traversal (CWE-22)
2026-05-11 @huntr_ai GHSA-42h5-h8qh-vv9v
7.5
CVSS 3.1 · Vendor: huntr_ai
Share

Severity by source

Vendor (huntr_ai) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (huntr_ai).

CVSS VectorVendor: huntr_ai

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
May 11, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 11, 2026 - 19:46 vuln.today
Analysis Generated
May 11, 2026 - 19:46 vuln.today
CVE Published
May 11, 2026 - 19:02 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on mlflow (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.10.0.

DescriptionCVE.org

A vulnerability in the _create_model_version() handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag mlflow.prompt.is_prompt, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The get_model_version_artifact_handler() function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.

AnalysisAI

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier. By submitting a CreateModelVersion request with the tag 'mlflow.prompt.is_prompt' and an arbitrary local filesystem path as the source, attackers bypass validation logic. The get_model_version_artifact_handler() function later serves files from that path without checking prompt status, enabling full confidentiality breach. Fixed in version 3.10.0 per commit 6e801f4 which blocks file:// URIs and absolute paths for prompt sources. CVSS 7.5 (High) reflects network attack vector with no authentication or user interaction required.

Technical ContextAI

MLflow is an open-source platform for managing machine learning lifecycle, including model versioning and artifact storage. The vulnerability exists in the mlflow/server/handlers.py module's _create_model_version() function. When processing CreateModelVersion requests, MLflow conditionally validates source paths based on the presence of the 'mlflow.prompt.is_prompt' tag (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Prior to 3.10.0, the validation logic inverted the check-prompts were NOT validated while regular model versions were. Attackers exploited this by tagging requests as prompts to store arbitrary filesystem paths (e.g., /etc/passwd, file:///proc/self/environ) in the model version metadata. The separate get_model_version_artifact_handler() function retrieves and serves files from the stored source path without re-verifying prompt status or path safety, creating a path traversal vulnerability. The fix introduces explicit blocking of file:// URIs and absolute paths for prompt sources, plus path traversal validation for sources with URL schemes.

RemediationAI

Upgrade to MLflow version 3.10.0 or later immediately. The fix in commit 6e801f4 blocks file:// URIs and absolute paths for prompt sources and adds path traversal validation for URL-schemed sources. Installation command: pip install --upgrade mlflow>=3.10.0 (for Python environments) or update container images to mlflow:3.10.0+ tags. If immediate upgrade is not feasible, implement network-level compensating controls: (1) restrict MLflow server access to authenticated internal networks only via firewall rules or VPN-blocks remote unauthenticated attack vector but reduces legitimate external access; (2) deploy a reverse proxy (nginx/Apache) that inspects and blocks CreateModelVersion POST requests containing the 'mlflow.prompt.is_prompt' tag from untrusted sources-requires custom request filtering logic and may break legitimate prompt workflows; (3) run MLflow server processes in sandboxed containers with minimal filesystem access using read-only root filesystems and explicit volume mounts for required paths only-limits blast radius but requires infrastructure reconfiguration. All workarounds have operational trade-offs; vendor-released patch is the definitive solution. Verify fix deployment by testing that CreateModelVersion requests with prompt tags and file:// or absolute path sources return HTTP 400 errors as shown in commit tests.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

CVE-2025-15381 HIGH
7.1 Mar 27

MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated

Vendor StatusVendor

Share

CVE-2026-2614 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy