Mlflow Mlflow
Monthly
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive credentials from the MLflow AI Gateway by abusing the `$ENV_VAR` resolution feature in gateway secret configuration. By registering or modifying a gateway route where `api_key` references an environment variable like `$AWS_SECRET_ACCESS_KEY` and pointing `api_base` at an attacker-controlled endpoint, the resolved secret is transmitted in upstream provider authentication headers. Publicly available exploit code exists via the huntr.com bounty disclosure, though EPSS remains low at 0.28% (51st percentile) and the issue is not in CISA KEV.
Missing authorization enforcement in MLflow 3.9.0 allows any low-privileged authenticated user to enumerate all gateway secrets, endpoints, and model definitions via three unprotected Gateway API list endpoints. The root cause is an omission in the `BEFORE_REQUEST_HANDLERS` dictionary within `mlflow/server/auth/__init__.py`, which gates authorization for request handlers - three Gateway API list operations (`ListGatewaySecretInfos`, `ListGatewayEndpoints`, `ListGatewayModelDefinitions`) are absent from this registry, bypassing access control entirely when basic-auth is active. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the low attack complexity and high confidentiality impact warrant prompt remediation in any deployment with multi-tenant or least-privilege access expectations.
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode enabled to abuse unprotected multipart upload (MPU) endpoints under /mlflow-artifacts/mpu/* and tamper with models owned by other users, enabling model supply chain poisoning and arbitrary code execution when poisoned models are deserialized. The SSVC framework classifies this as having a public proof-of-concept with total technical impact, though EPSS exploitation probability is currently only 0.05% (16th percentile) and no public exploit identified at time of analysis as actively weaponized.
Missing post-response authorization filtering in MLflow's self-hosted server exposes all registered model version metadata to any authenticated user, regardless of their per-model permission level. Both the REST API endpoint `SearchModelVersions` and the GraphQL query `mlflowSearchModelVersions` were absent from the authorization middleware chains in versions up to 3.9.0, allowing a low-privilege authenticated user to enumerate model names, version descriptions, source artifact URIs, tags, and other metadata across all registered models in multi-tenant deployments. No public exploit identified at time of analysis; the vendor-released patch is confirmed in version 3.10.0.
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protections on /ajax-api endpoints when a victim visits a malicious webpage, ultimately achieving arbitrary command execution through the Claude Code sub-agent. The flaw stems from improper origin validation (CWE-346) and is fixed in version 3.10.0; no public exploit identified at time of analysis, though a detailed huntr.com report and an upstream commit are publicly available.
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier. By submitting a CreateModelVersion request with the tag 'mlflow.prompt.is_prompt' and an arbitrary local filesystem path as the source, attackers bypass validation logic. The get_model_version_artifact_handler() function later serves files from that path without checking prompt status, enabling full confidentiality breach. Fixed in version 3.10.0 per commit 6e801f4 which blocks file:// URIs and absolute paths for prompt sources. CVSS 7.5 (High) reflects network attack vector with no authentication or user interaction required.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to arbitrary URLs, including internal services and cloud metadata endpoints (e.g., AWS EC2 metadata at 169.254.169.254). Affects MLflow versions prior to 3.9.0. The webhook creation endpoint accepts unvalidated user-controlled URLs that are later used in HTTP POST requests, enabling cloud credential theft, internal network reconnaissance, and data exfiltration. Vendor-released patch available in MLflow 3.9.0, confirmed by GitHub commit 64aa0ab. No active exploitation confirmed (not in CISA KEV), but publicly disclosed with detailed technical analysis from huntr.com.
MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without credentials (CVSS 9.8, CWE-306). Affects mlflow/mlflow latest version when MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true and job functions are allowlisted. Public POC exists per SSVC framework. EPSS score of 0.20% (42nd percentile) indicates low observed exploitation probability despite critical CVSS, suggesting targeted rather than widespread risk. Vendor-released patch not confirmed at time of analysis - remediation relies on configuration changes and service hardening.
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrary commands when models are served with enable_mlserver=True. Unsanitized model_uri parameters embedded in bash -c commands enable shell metacharacter exploitation (command substitution via $() or backticks). With CVSS 9.6 (Critical) and adjacent network attack vector, this poses significant risk in multi-tenant MLOps environments where lower-privileged users can control model URIs served by higher-privileged services. No public exploit code identified at time of analysis, with EPSS data not yet available for this recent CVE.
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply malicious artifacts via the `env_manager=LOCAL` parameter. The `_install_model_dependencies_to_env()` function unsafely interpolates dependency specifications from `python_env.yaml` directly into shell commands without sanitization. With CVSS 10.0 (network-accessible, no authentication, no complexity) and publicly available exploit code exists (reported via Huntr bug bounty, patched in 3.8.2), this represents an immediate critical risk for organizations using MLflow model serving infrastructure. EPSS data not available, but exploitation scenario is straightforward for adversaries with model deployment access.
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitrary files and potentially escape sandbox isolation via malicious archive uploads. The vulnerability affects the `extract_archive_to_dir` function which fails to validate tar member paths during extraction. Exploitation requires user interaction (CVSS UI:R) but needs no authentication (PR:N). EPSS data not provided, but no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Public exploit code exists via Huntr bounty disclosure.
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated user with no experiment permissions to read trace metadata and create unauthorized assessments. The vulnerability affects MLflow deployments running with the '--app-name=basic-auth' flag and carries a CVSS score of 8.1 (High) with network-based attack vector requiring low privilege authentication. This vulnerability was reported via the HackerOne bug bounty platform (@huntr_ai) with no public exploit identified at time of analysis.
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive credentials from the MLflow AI Gateway by abusing the `$ENV_VAR` resolution feature in gateway secret configuration. By registering or modifying a gateway route where `api_key` references an environment variable like `$AWS_SECRET_ACCESS_KEY` and pointing `api_base` at an attacker-controlled endpoint, the resolved secret is transmitted in upstream provider authentication headers. Publicly available exploit code exists via the huntr.com bounty disclosure, though EPSS remains low at 0.28% (51st percentile) and the issue is not in CISA KEV.
Missing authorization enforcement in MLflow 3.9.0 allows any low-privileged authenticated user to enumerate all gateway secrets, endpoints, and model definitions via three unprotected Gateway API list endpoints. The root cause is an omission in the `BEFORE_REQUEST_HANDLERS` dictionary within `mlflow/server/auth/__init__.py`, which gates authorization for request handlers - three Gateway API list operations (`ListGatewaySecretInfos`, `ListGatewayEndpoints`, `ListGatewayModelDefinitions`) are absent from this registry, bypassing access control entirely when basic-auth is active. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the low attack complexity and high confidentiality impact warrant prompt remediation in any deployment with multi-tenant or least-privilege access expectations.
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode enabled to abuse unprotected multipart upload (MPU) endpoints under /mlflow-artifacts/mpu/* and tamper with models owned by other users, enabling model supply chain poisoning and arbitrary code execution when poisoned models are deserialized. The SSVC framework classifies this as having a public proof-of-concept with total technical impact, though EPSS exploitation probability is currently only 0.05% (16th percentile) and no public exploit identified at time of analysis as actively weaponized.
Missing post-response authorization filtering in MLflow's self-hosted server exposes all registered model version metadata to any authenticated user, regardless of their per-model permission level. Both the REST API endpoint `SearchModelVersions` and the GraphQL query `mlflowSearchModelVersions` were absent from the authorization middleware chains in versions up to 3.9.0, allowing a low-privilege authenticated user to enumerate model names, version descriptions, source artifact URIs, tags, and other metadata across all registered models in multi-tenant deployments. No public exploit identified at time of analysis; the vendor-released patch is confirmed in version 3.10.0.
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protections on /ajax-api endpoints when a victim visits a malicious webpage, ultimately achieving arbitrary command execution through the Claude Code sub-agent. The flaw stems from improper origin validation (CWE-346) and is fixed in version 3.10.0; no public exploit identified at time of analysis, though a detailed huntr.com report and an upstream commit are publicly available.
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier. By submitting a CreateModelVersion request with the tag 'mlflow.prompt.is_prompt' and an arbitrary local filesystem path as the source, attackers bypass validation logic. The get_model_version_artifact_handler() function later serves files from that path without checking prompt status, enabling full confidentiality breach. Fixed in version 3.10.0 per commit 6e801f4 which blocks file:// URIs and absolute paths for prompt sources. CVSS 7.5 (High) reflects network attack vector with no authentication or user interaction required.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to arbitrary URLs, including internal services and cloud metadata endpoints (e.g., AWS EC2 metadata at 169.254.169.254). Affects MLflow versions prior to 3.9.0. The webhook creation endpoint accepts unvalidated user-controlled URLs that are later used in HTTP POST requests, enabling cloud credential theft, internal network reconnaissance, and data exfiltration. Vendor-released patch available in MLflow 3.9.0, confirmed by GitHub commit 64aa0ab. No active exploitation confirmed (not in CISA KEV), but publicly disclosed with detailed technical analysis from huntr.com.
MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without credentials (CVSS 9.8, CWE-306). Affects mlflow/mlflow latest version when MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true and job functions are allowlisted. Public POC exists per SSVC framework. EPSS score of 0.20% (42nd percentile) indicates low observed exploitation probability despite critical CVSS, suggesting targeted rather than widespread risk. Vendor-released patch not confirmed at time of analysis - remediation relies on configuration changes and service hardening.
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrary commands when models are served with enable_mlserver=True. Unsanitized model_uri parameters embedded in bash -c commands enable shell metacharacter exploitation (command substitution via $() or backticks). With CVSS 9.6 (Critical) and adjacent network attack vector, this poses significant risk in multi-tenant MLOps environments where lower-privileged users can control model URIs served by higher-privileged services. No public exploit code identified at time of analysis, with EPSS data not yet available for this recent CVE.
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply malicious artifacts via the `env_manager=LOCAL` parameter. The `_install_model_dependencies_to_env()` function unsafely interpolates dependency specifications from `python_env.yaml` directly into shell commands without sanitization. With CVSS 10.0 (network-accessible, no authentication, no complexity) and publicly available exploit code exists (reported via Huntr bug bounty, patched in 3.8.2), this represents an immediate critical risk for organizations using MLflow model serving infrastructure. EPSS data not available, but exploitation scenario is straightforward for adversaries with model deployment access.
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitrary files and potentially escape sandbox isolation via malicious archive uploads. The vulnerability affects the `extract_archive_to_dir` function which fails to validate tar member paths during extraction. Exploitation requires user interaction (CVSS UI:R) but needs no authentication (PR:N). EPSS data not provided, but no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Public exploit code exists via Huntr bounty disclosure.
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated user with no experiment permissions to read trace metadata and create unauthorized assessments. The vulnerability affects MLflow deployments running with the '--app-name=basic-auth' flag and carries a CVSS score of 8.1 (High) with network-based attack vector requiring low privilege authentication. This vulnerability was reported via the HackerOne bug bounty platform (@huntr_ai) with no public exploit identified at time of analysis.
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.