Mlflow
Monthly
Dataset digest computation in MLflow up to version 3.10.0 uses MD5 - a cryptographically broken algorithm - to fingerprint datasets, enabling a local attacker to craft colliding inputs that undermine dataset integrity tracking. Affected functions include compute_pandas_digest, compute_numpy_digest, and hash_dict_of_arrays in mlflow/data/digest_utils.py, which use a truncated 8-character MD5 digest that further reduces the collision space. Publicly available exploit code exists; this vulnerability is not confirmed actively exploited per CISA KEV, and the CVSS 4.0 score of 1.1 reflects the constrained local-only attack surface.
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.
Default password auth bypass in MLflow ML platform. EPSS 1.4%.
Unauthenticated remote code execution in MLflow Tracking Server through directory traversal in artifact file path handling enables attackers to execute arbitrary commands with service account privileges. The vulnerability stems from insufficient validation of user-supplied paths in file operations, allowing exploitation without authentication. No patch is currently available for affected AI/ML deployments.
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. [CVSS 8.1 HIGH]
gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 26.9%.
In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Dataset digest computation in MLflow up to version 3.10.0 uses MD5 - a cryptographically broken algorithm - to fingerprint datasets, enabling a local attacker to craft colliding inputs that undermine dataset integrity tracking. Affected functions include compute_pandas_digest, compute_numpy_digest, and hash_dict_of_arrays in mlflow/data/digest_utils.py, which use a truncated 8-character MD5 digest that further reduces the collision space. Publicly available exploit code exists; this vulnerability is not confirmed actively exploited per CISA KEV, and the CVSS 4.0 score of 1.1 reflects the constrained local-only attack surface.
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.
Default password auth bypass in MLflow ML platform. EPSS 1.4%.
Unauthenticated remote code execution in MLflow Tracking Server through directory traversal in artifact file path handling enables attackers to execute arbitrary commands with service account privileges. The vulnerability stems from insufficient validation of user-supplied paths in file operations, allowing exploitation without authentication. No patch is currently available for affected AI/ML deployments.
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. [CVSS 8.1 HIGH]
gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 26.9%.
In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.