Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary rating from Vendor (huntr_ai).
CVSS VectorVendor: huntr_ai
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the --serve-artifacts mode is enabled. The authorization logic does not enforce resource-level permission checks for /mlflow-artifacts/mpu/* endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.
AnalysisAI
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode enabled to abuse unprotected multipart upload (MPU) endpoints under /mlflow-artifacts/mpu/* and tamper with models owned by other users, enabling model supply chain poisoning and arbitrary code execution when poisoned models are deserialized. The SSVC framework classifies this as having a public proof-of-concept with total technical impact, though EPSS exploitation probability is currently only 0.05% (16th percentile) and no public exploit identified at time of analysis as actively weaponized.
Technical ContextAI
MLflow is an open-source machine learning lifecycle platform whose tracking server can be run with the --serve-artifacts flag to proxy artifact storage through the server. The vulnerability is a CWE-862 Missing Authorization in the auth module (mlflow/server/auth/__init__.py), where the _is_proxy_artifact_path helper failed to recognize the multipart upload subpaths (mpu/create, mpu/complete, mpu/abort) under both /api/2.0/mlflow-artifacts/ and /ajax-api/2.0/mlflow-artifacts/ as proxy artifact paths, and the _get_proxy_artifact_validator did not map POST requests on those routes to validate_can_update_experiment_artifact_proxy. As a result, requests to MPU endpoints bypassed the per-experiment permission check that protects the rest of the artifact proxy surface, even though authentication itself was still required.
RemediationAI
Vendor-released patch: upgrade to MLflow 3.10.0 or later, which adds the missing /mlflow-artifacts/mpu/ path prefixes to the proxy artifact path detection and wires POST on those routes to validate_can_update_experiment_artifact_proxy (see commit https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f). Where immediate upgrade is not possible, the most effective compensating controls are to disable --serve-artifacts and front artifact storage with a separately authenticated object store (trade-off: clients must be reconfigured with direct storage credentials), or to block POST requests to /api/2.0/mlflow-artifacts/mpu/* and /ajax-api/2.0/mlflow-artifacts/mpu/* at a reverse proxy with per-user ACLs (trade-off: multipart uploads of large artifacts will fail and clients fall back to single-part uploads or break entirely). Tightening user provisioning so that only trusted accounts exist on shared trackers, and reviewing recent artifact writes for cross-experiment anomalies, reduces residual risk during the patch window.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31642
GHSA-8c7q-86fq-vvmh