CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/06/02 12:0 a.m.•13 views

PT-2026-45692

Name of the Vulnerable Software and Affected Versions MLflow version 3.9.0 Description When using basic-auth --app-name basic-auth, the software fails to enforce authorization checks for several Gateway API 'list' endpoints. The BEFORE REQUEST HANDLERS dictionary in mlflow/server/auth/ init .py...

6.5CVSS6.5AI score0.00244EPSS

CNNVD•added 2026/06/02 12:0 a.m.•4 views

MLflow 安全漏洞

MLflow is an open-source platform that simplifies machine learning development. It includes features like tracking experiments, packaging code for reproducible runs, and sharing and deploying models. Version 3.9.0 of MLflow contains a security vulnerability. This vulnerability stems from the lack...

6.5CVSS5.3AI score0.00244EPSS

Exploits1References1

OSV•added 2026/05/29 8:48 a.m.•9 views

BIT-MLFLOW-2026-2611 Improper Origin Validation in mlflow/mlflow

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...

9.6CVSS7.6AI score0.00321EPSS

Exploits1References3

IBM Security Bulletins•added 2026/05/27 4:3 p.m.•14 views

Security Bulletin: Maximo AI Service uses multiple third party dependencies which are vulnerable to multiple CVEs.

Summary Maximo AI Service uses mlflow-3.9.0rc0-py3-none-any.whl, bcprov-jdk18on-1.79.jar, mlflow-3.8.1-py3-none-any.whl and GitPython-3.1.44-py3-none-any.whl which are vulnerable to CVE-2026-0545, CVE-2025-14813, CVE-2026-0636, CVE-2026, CVE-2025-15031, CVE-2025-15036, CVE-2025, CVE-2026-42215,...

10CVSS7.9AI score0.02356EPSS

Exploits8Affected Software1

RedhatCVE•added 2026/05/27 1:9 p.m.•10 views

CVE-2026-2651

A flaw was found in MLflow when the --serve-artifacts mode is enabled. A remote attacker can exploit this vulnerability due to insufficient resource-level permission checks for multipart upload MPU endpoints. This allows the attacker to overwrite artifacts belonging to other users, which can lead...

9CVSS7.7AI score0.00366EPSS

RedhatCVE•added 2026/05/27 12:59 p.m.•12 views

CVE-2026-2611

A flaw was found in MLflow. Improper origin validation in the MLflow Assistant's /ajax-api endpoints allows a remote attacker to exploit cross-origin requests from a malicious webpage. This enables interaction with the MLflow Assistant running on a victim's local machine, bypassing loopback-only...

9.6CVSS7.5AI score0.00321EPSS

vulnersOsv•added 2026/05/25 7:33 a.m.•5 views

azure-ai-generative (>=1.0.0b1 <=1.0.0b3), azure-ai-resources (>=1.0.0b1 <=1.0.0b9) +15 more potentially affected by CVE-2026-2651 via mlflow-skinny (>=3.0.0 <=3.0.1)

mlflow-skinny PYPI version =3.0.0, =1.0.0b1, =1.0.0b1, =0.1.0, =0.1.0, =2.5.0, =0.0.13, =3.0.0, =0.1.0, =0.1.4 and more Source cves: CVE-2026-2651 Source advisory: SNYK:PYTHON-MLFLOWSKINNY-16874026...

9CVSS7.7AI score0.00366EPSS

Exploits1

Snyk•added 2026/05/25 7:33 a.m.•9 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the /mlflow-artifacts/mpu/ endpoints in --serve-artifacts mode. An attacker can gain unauthorized access to and overwrite artifacts belonging to other users by manipulating artifactpath and pathfilename argument...

Snyk•added 2026/05/25 7:33 a.m.•8 views

Missing Authorization

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authorization in the /mlflow-artifacts/mpu/ endpoints in...

NVD•added 2026/05/25 7:16 a.m.•11 views

CVE-2026-2651

A vulnerability in MLflow versions =3.10.1.dev0 allows unauthorized access to multipart upload MPU endpoints when the --serve-artifacts mode is enabled. The authorization logic does not enforce resource-level permission checks for /mlflow-artifacts/mpu/ endpoints, enabling attackers to overwrite...

9CVSS0.00366EPSS

Vulnrichment•added 2026/05/25 6:0 a.m.•5 views

CVE-2026-2651 Missing Authorization Validation in mlflow/mlflow

Cvelist•added 2026/05/25 6:0 a.m.•39 views

CVE-2026-2651 Missing Authorization Validation in mlflow/mlflow

9CVSS0.00366EPSS

CVE•added 2026/05/25 6:0 a.m.•25 views

CVE-2026-2651

MLflow CVE-2026-2651 describes missing authorization validation for MPU endpoints under /mlflow-artifacts/mpu/* when serve-artifacts is enabled. Vulnerable in MLflow versions

Exploits1References2Affected Software1

ATTACKERKB•added 2026/05/25 6:0 a.m.•8 views

CVE-2026-2651

CNNVD•added 2026/05/25 12:0 a.m.•7 views

Exploits1References3

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow 3.10.1.dev0 and prior versions, which stems from the...

9CVSS7.6AI score0.00366EPSS

Positive Technologies•added 2026/05/25 12:0 a.m.•13 views

PT-2026-43005

Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.10.0 Description Unauthorized access to multipart upload MPU endpoints is possible when the --serve-artifacts mode is enabled. The authorization logic fails to enforce resource-level permission checks for endpoints...

RedhatCVE•added 2026/05/21 10:48 a.m.•9 views

Exploits1References7

CVE-2026-2734

A flaw was found in mlflow. An authenticated user could exploit a lack of proper authorization checks in the SearchModelVersions REST API and mlflowSearchModelVersions GraphQL query. This flaw allows them to enumerate all model versions across all registered models, potentially exposing sensitive...

6.5CVSS6.5AI score0.00441EPSS