What is the CVSS score of CVE-2026-4137?

CVE-2026-4137 has a CVSS 3.0 base score of 7.0 (High). CVSS vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of MLflow are affected by CVE-2026-4137?

MLflow versions prior to 3.11.0 contain a local privilege escalation vulnerability that allows co-located users to execute arbitrary code by overwriting model artifacts in world-writable temporary…. A patch is available.

MLflow CVE-2026-4137

EUVD-2026-30807 HIGH

Creation of Temporary File With Insecure Permissions (CWE-378)

2026-05-18 @huntr_ai

GHSA-f2m9-wcf4-cwwx

RCE Python

7.0

CVSS 3.0

CVSS VectorNVD

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 18, 2026 - 21:31 vuln.today

Analysis Generated

May 18, 2026 - 21:31 vuln.today

Patch available

May 18, 2026 - 21:09 EUVD

DescriptionNVD

In mlflow/mlflow versions prior to 3.11.0, the get_or_create_nfs_tmp_dir() function in mlflow/utils/file_utils.py creates temporary directories with world-writable permissions (0o777), and the _create_model_downloading_tmp_dir() function in mlflow/pyfunc/__init__.py creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via cloudpickle.load(). This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.

AnalysisAI

Local privilege-based code execution in MLflow versions prior to 3.11.0 stems from temporary directories being created with overly permissive modes (0o777 and 0o770), letting co-located users overwrite cloudpickle-serialized model artifacts that are later deserialized into arbitrary Python execution. The risk is most acute on shared NFS deployments such as Databricks, where the world-writable tmp directory is reachable by any local account on the host. …

RemediationAI

Within 24 hours: Inventory all MLflow deployments and identify instances running versions prior to 3.11.0. Within 7 days: Prioritize upgrades for MLflow instances on shared systems (Databricks, multi-tenant NFS environments) to version 3.11.0. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-4137 vulnerability details – vuln.today

Back

MLflow CVE-2026-4137

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code