Skip to main content

MLflow CVE-2026-2651

| EUVDEUVD-2026-31642 CRITICAL
Missing Authorization (CWE-862)
2026-05-25 @huntr_ai GHSA-8c7q-86fq-vvmh
9.0
CVSS 3.1 · Vendor: huntr_ai
Share

Severity by source

Vendor (huntr_ai) PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Red Hat
9.0 CRITICAL
qualitative

Primary rating from Vendor (huntr_ai).

CVSS VectorVendor: huntr_ai

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 08:36 vuln.today
Analysis Generated
Jun 08, 2026 - 08:36 vuln.today
Patch available
May 26, 2026 - 14:16 EUVD

DescriptionCVE.org

A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the --serve-artifacts mode is enabled. The authorization logic does not enforce resource-level permission checks for /mlflow-artifacts/mpu/* endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.

AnalysisAI

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode enabled to abuse unprotected multipart upload (MPU) endpoints under /mlflow-artifacts/mpu/* and tamper with models owned by other users, enabling model supply chain poisoning and arbitrary code execution when poisoned models are deserialized. The SSVC framework classifies this as having a public proof-of-concept with total technical impact, though EPSS exploitation probability is currently only 0.05% (16th percentile) and no public exploit identified at time of analysis as actively weaponized.

Technical ContextAI

MLflow is an open-source machine learning lifecycle platform whose tracking server can be run with the --serve-artifacts flag to proxy artifact storage through the server. The vulnerability is a CWE-862 Missing Authorization in the auth module (mlflow/server/auth/__init__.py), where the _is_proxy_artifact_path helper failed to recognize the multipart upload subpaths (mpu/create, mpu/complete, mpu/abort) under both /api/2.0/mlflow-artifacts/ and /ajax-api/2.0/mlflow-artifacts/ as proxy artifact paths, and the _get_proxy_artifact_validator did not map POST requests on those routes to validate_can_update_experiment_artifact_proxy. As a result, requests to MPU endpoints bypassed the per-experiment permission check that protects the rest of the artifact proxy surface, even though authentication itself was still required.

RemediationAI

Vendor-released patch: upgrade to MLflow 3.10.0 or later, which adds the missing /mlflow-artifacts/mpu/ path prefixes to the proxy artifact path detection and wires POST on those routes to validate_can_update_experiment_artifact_proxy (see commit https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f). Where immediate upgrade is not possible, the most effective compensating controls are to disable --serve-artifacts and front artifact storage with a separately authenticated object store (trade-off: clients must be reconfigured with direct storage credentials), or to block POST requests to /api/2.0/mlflow-artifacts/mpu/* and /ajax-api/2.0/mlflow-artifacts/mpu/* at a reverse proxy with per-user ACLs (trade-off: multipart uploads of large artifacts will fail and clients fall back to single-part uploads or break entirely). Tightening user provisioning so that only trusted accounts exist on shared trackers, and reviewing recent artifact writes for cross-experiment anomalies, reduces residual risk during the patch window.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

CVE-2025-15381 HIGH
7.1 Mar 27

MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated

Vendor StatusVendor

Share

CVE-2026-2651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy