CVE-2025-15036
published 2026-03-30CVE-2025-15036: A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow…
PriorityP269critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.59%
43.6th percentile
A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | < 3.9.0 | 3.9.0 |
| mlflow | mlflow_mlflow | >= 0 < 3.9.0rc0 | 3.9.0rc0 |
| mlflow | mlflow_mlflow | >= unspecified < 3.9.0 | 3.9.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for tar.gz extraction operations invoking `extract_archive_to_dir` in mlflow/pyfunc/dbconnect_artifact_cache.py that result in file writes outside the intended sandbox/destination directory (path traversal via `../` sequences in tar member names). ↗
- →Alert on file write events outside the expected extraction directory when MLflow processes tar.gz artifacts, which may indicate exploitation of the missing tar member path validation. ↗
- ·The vulnerability is present in MLflow versions before v3.7.0; upgrading to v3.7.0 or later remediates the missing tar member path validation in extract_archive_to_dir. ↗
- ·Risk is elevated in multi-tenant or shared cluster environments where multiple users share the same MLflow deployment, as exploitation can lead to sandbox escape and privilege escalation. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MLFlow path traversal vulnerability
ghsa·2026-03-30
CVE-2025-15036 [CRITICAL] CWE-29 MLFlow path traversal vulnerability
MLFlow path traversal vulnerability
A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
OSV
MLFlow path traversal vulnerability
osv·2026-03-30
CVE-2025-15036 [CRITICAL] MLFlow path traversal vulnerability
MLFlow path traversal vulnerability
A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
Red Hat
mlflow: mlflow: Path traversal vulnerability allows arbitrary file overwrite and privilege escalation
vendor_redhat·2026-03-30·CVSS 9.6
CVE-2025-15036 [CRITICAL] CWE-22 mlflow: mlflow: Path traversal vulnerability allows arbitrary file overwrite and privilege escalation
mlflow: mlflow: Path traversal vulnerability allows arbitrary file overwrite and privilege escalation
A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
A flaw was found in mlflow. A path traversal vulnerability exists in the `extract_archive_to_dir` function, which is responsible for extracting archives. An attacker who can c
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-2635 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-2635 [CRITICAL] CVE-2026-2635 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2635 :
MLflow vulnerability analysis and mitigation
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.
Source : NVD
## 9.8
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
MLflow
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pr
Wiz
CVE-2026-2033 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-2033 [CRITICAL] CVE-2026-2033 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2033 :
MLflow vulnerability analysis and mitigation
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
MLflow
Has Public Exploit No
Has C
Wiz
CVE-2025-15381 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-15381 [CRITICAL] CVE-2025-15381 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15381 :
MLflow vulnerability analysis and mitigation
basic-auth
NO_PERMISSIONS
mlflow server --app-name=basic-auth
Source : NVD
## 8.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity HIGH No Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-33865 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33865 [CRITICAL] CVE-2026-33865 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33865 :
MLflow vulnerability analysis and mitigation
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
Source : NVD
## 5.1
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2026-33866 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33866 [CRITICAL] CVE-2026-33866 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33866 :
MLflow vulnerability analysis and mitigation
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity MEDIUM
Wiz
CVE-2025-15036 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-15036 [CRITICAL] CVE-2025-15036 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15036 :
MLflow vulnerability analysis and mitigation
extract_archive_to_dir
mlflow/pyfunc/dbconnect_artifact_cache.py
Source : NVD
## 9.6
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mlflow
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploi
Wiz
CVE-2025-14287 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-14287 [HIGH] CVE-2025-14287 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14287 :
MLflow vulnerability analysis and mitigation
mlflow/sagemaker/__init__.py
os.system()
--container
Source : NVD
## 7.5
Score
Published March 16, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mlflow
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publish
Wiz
CVE-2025-14279 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-14279 [HIGH] CVE-2025-14279 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14279 :
MLflow vulnerability analysis and mitigation
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.
Source : NVD
## 8.1
Score
Published January 12, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2025-10279 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-10279 [HIGH] CVE-2025-10279 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-10279 :
MLflow vulnerability analysis and mitigation
/tmp
.py
Source : NVD
## 7
Score
Published February 2, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
MLflow
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2025-15379
CRITICAL
10
MLflow
Wiz
CVE-2025-15379 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-15379 [CRITICAL] CVE-2025-15379 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15379 :
MLflow vulnerability analysis and mitigation
_install_model_dependencies_to_env()
env_manager=LOCAL
python_env.yaml
Source : NVD
## 10
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 46.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
mlflow
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV
Wiz
CVE-2026-0545 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-0545 [CRITICAL] CVE-2026-0545 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0545 :
MLflow vulnerability analysis and mitigation
/ajax-api/3.0/jobs/*
basic-auth
MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true
Source : NVD
## 9.1
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 42.1
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
mlflow
Sources
NVD
pip Severity CRITICAL No Fix Added at: Apr 07, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV e
https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346https://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0https://access.redhat.com/security/cve/CVE-2025-15036https://bugzilla.redhat.com/show_bug.cgi?id=2452925https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-15036.json
2026-03-30
Published