Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (huntr_ai).
CVSS VectorVendor: huntr_ai
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 2 pypi packages depend on mlflow (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.10.0.
DescriptionCVE.org
A vulnerability in the _create_model_version() handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag mlflow.prompt.is_prompt, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The get_model_version_artifact_handler() function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.
AnalysisAI
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier. By submitting a CreateModelVersion request with the tag 'mlflow.prompt.is_prompt' and an arbitrary local filesystem path as the source, attackers bypass validation logic. The get_model_version_artifact_handler() function later serves files from that path without checking prompt status, enabling full confidentiality breach. Fixed in version 3.10.0 per commit 6e801f4 which blocks file:// URIs and absolute paths for prompt sources. CVSS 7.5 (High) reflects network attack vector with no authentication or user interaction required.
Technical ContextAI
MLflow is an open-source platform for managing machine learning lifecycle, including model versioning and artifact storage. The vulnerability exists in the mlflow/server/handlers.py module's _create_model_version() function. When processing CreateModelVersion requests, MLflow conditionally validates source paths based on the presence of the 'mlflow.prompt.is_prompt' tag (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Prior to 3.10.0, the validation logic inverted the check-prompts were NOT validated while regular model versions were. Attackers exploited this by tagging requests as prompts to store arbitrary filesystem paths (e.g., /etc/passwd, file:///proc/self/environ) in the model version metadata. The separate get_model_version_artifact_handler() function retrieves and serves files from the stored source path without re-verifying prompt status or path safety, creating a path traversal vulnerability. The fix introduces explicit blocking of file:// URIs and absolute paths for prompt sources, plus path traversal validation for sources with URL schemes.
RemediationAI
Upgrade to MLflow version 3.10.0 or later immediately. The fix in commit 6e801f4 blocks file:// URIs and absolute paths for prompt sources and adds path traversal validation for URL-schemed sources. Installation command: pip install --upgrade mlflow>=3.10.0 (for Python environments) or update container images to mlflow:3.10.0+ tags. If immediate upgrade is not feasible, implement network-level compensating controls: (1) restrict MLflow server access to authenticated internal networks only via firewall rules or VPN-blocks remote unauthenticated attack vector but reduces legitimate external access; (2) deploy a reverse proxy (nginx/Apache) that inspects and blocks CreateModelVersion POST requests containing the 'mlflow.prompt.is_prompt' tag from untrusted sources-requires custom request filtering logic and may break legitimate prompt workflows; (3) run MLflow server processes in sandboxed containers with minimal filesystem access using read-only root filesystems and explicit volume mounts for required paths only-limits blast radius but requires infrastructure reconfiguration. All workarounds have operational trade-offs; vendor-released patch is the definitive solution. Verify fix deployment by testing that CreateModelVersion requests with prompt tags and file:// or absolute path sources return HTTP 400 errors as shown in commit tests.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29180
GHSA-42h5-h8qh-vv9v