Lucene search
K

1252 matches found

cvelist
cvelist
added 2026/06/04 11:45 a.m.46 views

CVE-2026-10803 MLflow Dataset Digest Computation digest_utils.py mlflow.data.digest_utils weak hash

A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digestutils of the file mlflow/data/digestutils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is...

3.6CVSS0.00103EPSS
Exploits1References7
cve
cve
added 2026/06/04 11:45 a.m.36 views

CVE-2026-10803

MLflow up to 3.10.0 contains a flaw in mlflow.data.digest_utils (Digest Computation) where manipulation leads to use of a weak hash. This affects the Digest Utils function in the Dataset Digest Computation component and enables a local attack. The reported exploitability is high in complexity wit...

3.6CVSS5.1AI score0.00103EPSS
Exploits1References7Affected Software1
ptsecurity
ptsecurity
added 2026/06/04 12:0 a.m.17 views

PT-2026-46189

Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.10.1 Description A flaw in the Dataset Digest Computation component allows the use of a weak hash. This issue occurs within the mlflow.data.digest utils function located in the mlflow/data/digest utils.py file. An...

3.6CVSS5.3AI score0.00103EPSS
Exploits1References11
cnnvd
cnnvd
added 2026/06/04 12:0 a.m.8 views

MLflow 安全漏洞

MLflow is an open-source platform that simplifies machine learning development. It includes features like tracking experiments, packaging code for reproducible runs, and sharing and deploying models. Versions of MLflow 3.10.0 and earlier contain security vulnerabilities. These vulnerabilities ste...

3.6CVSS4.9AI score0.00103EPSS
Exploits1References7
vulnersosv
vulnersosv
added 2026/06/03 10:23 a.m.8 views

azure-ai-generative (>=1.0.0b1 <=1.0.0b3), azure-ai-resources (>=1.0.0b1 <=1.0.0b9) +30 more potentially affected by CVE-2026-4035 via mlflow-skinny (>=3.0.0 <=3.11.0rc0)

mlflow-skinny PYPI version =3.0.0, =1.0.0b1, =1.0.0b1, =0.1.0, =0.1.0, =2.5.0, =0.0.13, =7.1.1, =0.2.0, =0.2.1 and more Source cves: CVE-2026-4035 Source advisory: SNYK:PYTHON-MLFLOWSKINNY-17135850...

9.1CVSS7.7AI score0.00435EPSS
Exploits1
vulnersosv
vulnersosv
added 2026/06/03 10:23 a.m.7 views

databricks-agents (>=0.1.0 <=1.0.0rc1), datamint (>=2.5.0 <=2.5.2) +18 more potentially affected by CVE-2026-4035 via mlflow (>=3.0.0rc2 <=3.10.1)

mlflow PYPI version =3.0.0rc2, =0.1.0, =2.5.0, =7.1.1, =0.2.0, =3.10.1, =1.0.1, =1.0.1, =3.0.15, =0.2.0.dev0, =0.6.7, =0.1.19, =0.1.0, =0.1.8 and more Source cves: CVE-2026-4035 Source advisory: SNYK:PYTHON-MLFLOW-17135851...

9.1CVSS7.7AI score0.00435EPSS
Exploits1
snyk
snyk
added 2026/06/03 10:23 a.m.11 views

Insertion of Sensitive Information Into Sent Data

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the apikey...

9.1CVSS7.8AI score0.00435EPSS
Exploits1References2
snyk
snyk
added 2026/06/03 10:23 a.m.10 views

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the apikey field in gateway secrets, which accepts environment variable references that are resolved against server-side credentials. An attacker can obtain sensitive environment...

9.1CVSS7.7AI score0.00435EPSS
Exploits1References2
nvd
nvd
added 2026/06/03 9:16 a.m.23 views

CVE-2026-4035

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the apikey field in...

9.1CVSS0.00435EPSS
Exploits1References5
vulnrichment
vulnrichment
added 2026/06/03 7:18 a.m.10 views

CVE-2026-4035 Environment Variable Resolution Vulnerability in mlflow/mlflow

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the apikey field in...

9.1CVSS7.6AI score0.00435EPSS
Exploits1References2
euvd
euvd
added 2026/06/03 7:18 a.m.13 views

EUVD-2026-34068

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the apikey field in...

9.1CVSS7.6AI score0.00435EPSS
Exploits1References2
attackerkb
attackerkb
added 2026/06/03 7:18 a.m.8 views

CVE-2026-4035

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the apikey field in...

9.1CVSS7.6AI score0.00435EPSS
Exploits1References3
cvelist
cvelist
added 2026/06/03 7:18 a.m.48 views

CVE-2026-4035 Environment Variable Resolution Vulnerability in mlflow/mlflow

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the apikey field in...

9.1CVSS0.00435EPSS
Exploits1References2
cve
cve
added 2026/06/03 7:18 a.m.72 views

CVE-2026-4035

CVE-2026-4035 affects mlflow/mlflow versions before 3.11.0. The API for AI Gateway secrets allows the api_key field to contain $ENV_VAR references, which are resolved against the MLflow server environment at runtime. Attackers can exfiltrate server-side environment credentials (e.g., AWS_ACCESS_K...

9.1CVSS7.6AI score0.00435EPSS
Exploits1References5Affected Software1
ptsecurity
ptsecurity
added 2026/06/03 12:0 a.m.22 views

PT-2026-45906

Name of the Vulnerable Software and Affected Versions mlflow versions prior to 3.11.0 Description An issue allows for the resolution of environment variables in AI Gateway secrets, enabling the exfiltration of sensitive server-side environment credentials to an attacker-controlled endpoint. This...

9.1CVSS8.2AI score0.00435EPSS
Exploits1References5
cnnvd
cnnvd
added 2026/06/03 12:0 a.m.9 views

MLflow 安全漏洞

MLflow is an open-source platform that simplifies machine learning development. It includes features for tracking experiments, packaging code for reproducible runs, and sharing and deploying models. Versions of MLflow prior to 3.11.0 contained a security vulnerability, which was caused by an issu...

9.1CVSS8.3AI score0.00435EPSS
Exploits1References2
redhatcve
redhatcve
added 2026/06/02 10:52 p.m.14 views

CVE-2026-2614

A flaw was found in mlflow. An unauthenticated remote attacker can exploit a vulnerability in the createmodelversion handler by including a specific tag, mlflow.prompt.isprompt, in a CreateModelVersion request. This bypasses source path validation, allowing the attacker to specify an arbitrary...

7.5CVSS7.1AI score0.00712EPSS
Exploits1References5
nvd
nvd
added 2026/06/02 4:17 a.m.16 views

CVE-2026-3198

MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...

6.5CVSS0.00244EPSS
Exploits1References1
cvelist
cvelist
added 2026/06/02 2:50 a.m.44 views

CVE-2026-3198 Improper Access Control in mlflow/mlflow

MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...

6.5CVSS0.00244EPSS
Exploits1References1
vulnrichment
vulnrichment
added 2026/06/02 2:50 a.m.9 views

CVE-2026-3198 Improper Access Control in mlflow/mlflow

MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...

6.5CVSS6.6AI score0.00244EPSS
Exploits1References1
Rows per page
Query Builder