PT-2026-43005

Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.10.0 Description Unauthorized access to multipart upload MPU endpoints is possible when the --serve-artifacts mode is enabled. The authorization logic fails to enforce resource-level permission checks for endpoints...

CVE-2026-2652

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2614 Arbitrary File Read via Prompt Tag Source Validation Bypass in mlflow/mlflow

A vulnerability in the createmodelversion handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag...

BIT-MLFLOW-2025-10279 Privilege Escalation in mlflow/mlflow

In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions 0o777. This vulnerability allows an attacker with write access to the /tmp directory to exploit a race condition and overwrite .py files in the virtual...

GHSA-FH64-R2VC-XVHR MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface

MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...

PYSEC-2026-93

MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...

MLflow < 3.8.0 Authentication Bypass (ZDI-26-111)

The version of MLflow installed on the remote host is prior to 3.8.0. It is, therefore, affected by an authentication bypass vulnerability: - A use of default password vulnerability exists in the basicauth.ini file. The file contains hard-coded default credentials that allow remote, unauthenticat...

PT-2026-5652

Name of the Vulnerable Software and Affected Versions mlflow versions prior to 3.4.0 Description A flaw exists in mlflow version 2.20.3 where the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions 0o777. This allows an attacker with...

CVE-2023-4033

OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0...

BIT-MLFLOW-2025-52967

gatewayproxyhandler in MLflow before 3.1.0 lacks gatewaypath validation...

CVE-2025-52967

gatewayproxyhandler in MLflow before 3.1.0 lacks gatewaypath validation...

CVE-2025-52967

MLflow prior to 3.1.0 is affected by a gateway_proxy_handler issue that lacks gateway_path validation, enabling potential SSRF via gateway routes. The CVE-2025-52967 description specifies a missing validation in gateway_proxy_handler, with CVSSv3.1 vector indicating network attack, low complexity...

CVE-2025-52967

gatewayproxyhandler in MLflow before 3.1.0 lacks gatewaypath validation...

CVE-2024-3099

A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service DoS as an authenticated user might not be able to use the intended model, as it will open a different model each time...

CVE-2024-8859

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

MLflow has a Local File Read/Path Traversal in dbfs

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

GHSA-Q3GW-8236-5JW4 MLflow Uncontrolled Resource Consumption vulnerability

In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of...

CVE-2025-1474

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user accou...

CVE-2025-0453

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

CVE-2024-8859

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...