1231 matches found
CVE-2026-54283 vulnerabilities
Vulnerabilities for packages: semgrep, airflow, mlflow...
GHSA-4FVR-RGM6-GQMC vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
GHSA-2FQR-MR3J-6WP8 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
GHSA-9X8Q-7H8H-WCW9 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
CVE-2026-54276 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
CVE-2026-54277 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
CVE-2026-54282 vulnerabilities
Vulnerabilities for packages: semgrep, airflow, mlflow...
CVE-2026-54275 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
CVE-2026-54273 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
CVE-2026-54278 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
CVE-2026-54279 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
CVE-2026-54280 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
GHSA-JP82-JPQV-5VV3 vulnerabilities
Vulnerabilities for packages: semgrep, airflow, mlflow...
GHSA-G3CQ-J2XW-WF74 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
GHSA-XCGM-R5H9-7989 vulnerabilities
Vulnerabilities for packages: open-webui, mlflow...
CVE-2026-3198
A flaw was found in MLflow. When configured with basic authentication, MLflow fails to enforce proper authorization checks for several Gateway API list endpoints. This oversight allows any authenticated user, regardless of their assigned permissions, to enumerate sensitive information such as...
CVE-2026-10803
A flaw was found in MLflow. This vulnerability stems from the use of a weak hash algorithm within the Dataset Digest Computation component. A local attacker could potentially exploit this weakness, which may impact the integrity or authenticity of data. Exploitation is considered difficult due to...
CVE-2026-2393
A Server-Side Request Forgery SSRF vulnerability exists in MLflow versions prior to 3.9.0. The createwebhook function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the sendwebhookrequest function in mlflow/webhooks/delivery.py sends HTTP POST request...
CVE-2026-2652
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...
CVE-2026-4137
In mlflow/mlflow versions prior to 3.11.0, the getorcreatenfstmpdir function in mlflow/utils/fileutils.py creates temporary directories with world-writable permissions 0o777, and the createmodeldownloadingtmpdir function in mlflow/pyfunc/init.py creates directories with group-writable permissions...