1231 matches found
CVE-2026-0545
In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...
CVE-2026-0545 Missing Authentication for Critical Function in mlflow/mlflow
In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...
CVE-2026-0545 Missing Authentication for Critical Function in mlflow/mlflow
In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...
CVE-2026-0545
In mlflow/mlflow, the FastAPI endpoints under /ajax-api/3.0/jobs/* are unprotected when the basic-auth app is enabled. If job execution is enabled (MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without cr...
MLflow 访问控制错误漏洞
MLflow is an open-source platform that simplifies machine learning development. It includes features like tracking experiments, packaging code for reproducible executions, and sharing and deploying models. There is a security vulnerability in MLflow, which stems from the lack of authentication or...
CVE-2026-0596
A command injection vulnerability exists in mlflow/mlflow when serving a model with enablemlserver=True. The modeluri is embedded directly into a shell command executed via bash -c without proper sanitization. If the modeluri contains shell metacharacters, such as $ or backticks, it allows for...
CVE-2025-15379
A flaw was found in MLflow. When deploying a model with envmanager=LOCAL, MLflow's model serving container initialization code, specifically the installmodeldependenciestoenv function, reads dependency specifications from the model artifact's pythonenv.yaml file. An attacker can supply a maliciou...
a2 (>=0.1.0 <=0.3.17), abadpour (>=6.13.1 <=7.24.1) +946 more potentially affected by CVE-2026-0596 via mlflow (>=0.8.2 <=3.8.1)
mlflow PYPI version =0.8.2, =0.1.0, =6.13.1, =9.273.1, =1.1.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.0.5, =1.0.0, =0.1.0, =1.1.1 - ai-helpers-pytorch-utils =0.1.0a1 - ailine-core =0.5.5 and more Source cves: CVE-2026-0596 Source advisory: OSV:GHSA-RVHJ-8CHJ-8V3C...
abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +757 more potentially affected by CVE-2026-0596 via mlflow-skinny (>=3.0.0 <=3.9.0)
mlflow-skinny PYPI version =3.0.0, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =1.1.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: CVE-2026-0596 Source advisory: SNYK:PYTHON-MLFLOWSKINNY-15918170...
EUVD-2026-17415
A command injection vulnerability exists in mlflow/mlflow when serving a model with enablemlserver=True. The modeluri is embedded directly into a shell command executed via bash -c without proper sanitization. If the modeluri contains shell metacharacters, such as $ or backticks, it allows for...
abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +696 more potentially affected by CVE-2026-0596 via mlflow (>=3.0.0rc2 <=3.9.0)
mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =1.1.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: CVE-2026-0596 Source advisory: SNYK:PYTHON-MLFLOW-15907602...
GHSA-RVHJ-8CHJ-8V3C Mlflow: Command Injection when serving models with enable_mlserver=True
A command injection vulnerability exists in Mlflow when serving a model with enablemlserver=True. The modeluri is embedded directly into a shell command executed via bash -c without proper sanitization. If the modeluri contains shell metacharacters, such as $ or backticks, it allows for command...
Mlflow: Command Injection when serving models with enable_mlserver=True
A command injection vulnerability exists in Mlflow when serving a model with enablemlserver=True. The modeluri is embedded directly into a shell command executed via bash -c without proper sanitization. If the modeluri contains shell metacharacters, such as $ or backticks, it allows for command...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection when serving models with enablemlserver=True due to unsanitized input being embedded into a shell command. An attacker can execute arbitrary commands by supplying specially crafted model URIs containing shell...
Command Injection
Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Command Injection when serving models with enablemlserver=True due...
CVE-2026-0596
A command injection vulnerability exists in mlflow/mlflow when serving a model with enablemlserver=True. The modeluri is embedded directly into a shell command executed via bash -c without proper sanitization. If the modeluri contains shell metacharacters, such as $ or backticks, it allows for...
CVE-2026-0596
A command injection vulnerability exists in mlflow/mlflow when serving a model with enablemlserver=True. The modeluri is embedded directly into a shell command executed via bash -c without proper sanitization. If the modeluri contains shell metacharacters, such as $ or backticks, it allows for...
CVE-2026-0596 Command Injection in mlflow/mlflow
A command injection vulnerability exists in mlflow/mlflow when serving a model with enablemlserver=True. The modeluri is embedded directly into a shell command executed via bash -c without proper sanitization. If the modeluri contains shell metacharacters, such as $ or backticks, it allows for...
CVE-2026-0596 Command Injection in mlflow/mlflow
A command injection vulnerability exists in mlflow/mlflow when serving a model with enablemlserver=True. The modeluri is embedded directly into a shell command executed via bash -c without proper sanitization. If the modeluri contains shell metacharacters, such as $ or backticks, it allows for...
CVE-2026-0596
The CWE/CVE describes a command-injection in mlflow/mlflow when serving a model with enable_mlserver=True. The vulnerability occurs because model_uri is embedded directly into a shell command executed via bash -c without sanitization, allowing shell metacharacters (e.g., $(), backticks) to enable...