Lucene search
+L

1274 matches found

CNNVD
CNNVD
added 2026/06/03 12:0 a.m.11 views

MLflow 安全漏洞

MLflow is an open-source platform that simplifies machine learning development. It includes features for tracking experiments, packaging code for reproducible runs, and sharing and deploying models. Versions of MLflow prior to 3.11.0 contained a security vulnerability, which was caused by an issu...

9.1CVSS8.3AI score0.00435EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/06/02 10:52 p.m.16 views

CVE-2026-2614

A flaw was found in mlflow. An unauthenticated remote attacker can exploit a vulnerability in the createmodelversion handler by including a specific tag, mlflow.prompt.isprompt, in a CreateModelVersion request. This bypasses source path validation, allowing the attacker to specify an arbitrary...

7.5CVSS7.1AI score0.00712EPSS
Exploits1References5
NVD
NVD
added 2026/06/02 4:17 a.m.17 views

CVE-2026-3198

MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...

6.5CVSS0.00244EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/06/02 2:50 a.m.9 views

CVE-2026-3198 Improper Access Control in mlflow/mlflow

MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...

6.5CVSS6.6AI score0.00244EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/02 2:50 a.m.8 views

CVE-2026-3198

MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...

6.5CVSS6.6AI score0.00244EPSS
Exploits1References2
EUVD
EUVD
added 2026/06/02 2:50 a.m.13 views

EUVD-2026-33880

MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...

6.5CVSS6.6AI score0.00244EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/02 2:50 a.m.47 views

CVE-2026-3198 Improper Access Control in mlflow/mlflow

MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...

6.5CVSS0.00244EPSS
Exploits1References1
CVE
CVE
added 2026/06/02 2:50 a.m.30 views

CVE-2026-3198

MLflow 3.9.0 with basic-auth fails authorization for multiple Gateway API 'list' endpoints. The BEFORE_REQUEST_HANDLERS dictionary in mlflow/server/auth/init .py lacks entries for ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions, allowing any authenticated user to enu...

6.5CVSS6.6AI score0.00244EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/06/02 2:50 a.m.3 views

CVE-2026-3198 Improper Access Control in mlflow/mlflow

MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...

6.5CVSS6.6AI score0.00244EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/02 2:50 a.m.8 views

Direct Request ('Forced Browsing')

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Direct Request 'Forced Browsing' in the Gateway API endpoints due ...

7.1CVSS6.6AI score0.00244EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.19 views

PT-2026-45692

Name of the Vulnerable Software and Affected Versions MLflow version 3.9.0 Description When using basic-auth --app-name basic-auth, the software fails to enforce authorization checks for several Gateway API 'list' endpoints. The BEFORE REQUEST HANDLERS dictionary in mlflow/server/auth/ init .py...

6.5CVSS6.5AI score0.00244EPSS
Exploits1References13
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.9 views

MLflow 安全漏洞

MLflow is an open-source platform that simplifies machine learning development. It includes features like tracking experiments, packaging code for reproducible runs, and sharing and deploying models. Version 3.9.0 of MLflow contains a security vulnerability. This vulnerability stems from the lack...

6.5CVSS5.3AI score0.00244EPSS
Exploits1References1
OSV
OSV
added 2026/05/29 8:48 a.m.12 views

BIT-MLFLOW-2026-2611 Improper Origin Validation in mlflow/mlflow

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...

9.6CVSS7.6AI score0.00371EPSS
Exploits1References6
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/27 4:3 p.m.19 views

Security Bulletin: Maximo AI Service uses multiple third party dependencies which are vulnerable to multiple CVEs.

Summary Maximo AI Service uses mlflow-3.9.0rc0-py3-none-any.whl, bcprov-jdk18on-1.79.jar, mlflow-3.8.1-py3-none-any.whl and GitPython-3.1.44-py3-none-any.whl which are vulnerable to CVE-2026-0545, CVE-2025-14813, CVE-2026-0636, CVE-2026, CVE-2025-15031, CVE-2025-15036, CVE-2025, CVE-2026-42215,...

10CVSS7.9AI score0.01994EPSS
Exploits8Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/27 1:9 p.m.13 views

CVE-2026-2651

A flaw was found in MLflow when the --serve-artifacts mode is enabled. A remote attacker can exploit this vulnerability due to insufficient resource-level permission checks for multipart upload MPU endpoints. This allows the attacker to overwrite artifacts belonging to other users, which can lead...

9CVSS7.7AI score0.00345EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/05/27 12:59 p.m.15 views

CVE-2026-2611

A flaw was found in MLflow. Improper origin validation in the MLflow Assistant's /ajax-api endpoints allows a remote attacker to exploit cross-origin requests from a malicious webpage. This enables interaction with the MLflow Assistant running on a victim's local machine, bypassing loopback-only...

9.6CVSS7.5AI score0.00371EPSS
Exploits1References5
vulnersOsv
vulnersOsv
added 2026/05/25 7:33 a.m.8 views

azure-ai-generative (>=1.0.0b1 <=1.0.0b3), azure-ai-resources (>=1.0.0b1 <=1.0.0b9) +15 more potentially affected by CVE-2026-2651 via mlflow-skinny (>=3.0.0 <=3.0.1)

mlflow-skinny PYPI version =3.0.0, =1.0.0b1, =1.0.0b1, =0.1.0, =0.1.0, =2.5.0, =0.0.13, =3.0.0, =0.1.0, =0.1.4 and more Source cves: CVE-2026-2651 Source advisory: SNYK:PYTHON-MLFLOWSKINNY-16874026...

9CVSS7.7AI score0.00345EPSS
Exploits1
Snyk
Snyk
added 2026/05/25 7:33 a.m.10 views

Missing Authorization

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authorization in the /mlflow-artifacts/mpu/ endpoints in...

9CVSS7.8AI score0.00345EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/25 7:33 a.m.11 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the /mlflow-artifacts/mpu/ endpoints in --serve-artifacts mode. An attacker can gain unauthorized access to and overwrite artifacts belonging to other users by manipulating artifactpath and pathfilename argument...

9CVSS7.8AI score0.00345EPSS
Exploits1References2
PyPA
PyPA
added 2026/05/25 7:16 a.m.4 views

PYSEC-2026-2220

A vulnerability in MLflow versions =3.10.1.dev0 allows unauthorized access to multipart upload MPU endpoints when the --serve-artifacts mode is enabled. The authorization logic does not enforce resource-level permission checks for /mlflow-artifacts/mpu/ endpoints, enabling attackers to overwrite...

9CVSS7.4AI score0.00345EPSS
Exploits1References6Affected Software1
Rows per page
Query Builder