CVE-2026-4137
published 2026-05-18CVE-2026-4137: In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with…
PriorityP344high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.19%
9.2th percentile
In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | < 3.11.0 | 3.11.0 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa7.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MLflow up to 3.10.x file_utils.py get_or_create_nfs_tmp_dir temp file
vuldb·2026-05-19·CVSS 7.0
CVE-2026-4137 [HIGH] MLflow up to 3.10.x file_utils.py get_or_create_nfs_tmp_dir temp file
A vulnerability described as problematic has been identified in MLflow up to 3.10.x. The affected element is the function get_or_create_nfs_tmp_dir of the file mlflow/utils/file_utils.py. Such manipulation leads to creation of temporary file with insecure permissions.
This vulnerability is uniquely identified as CVE-2026-4137. Local access is required to approach this attack. No exploit exists.
Upgrading the affected component is recommended.
GHSA
MLFlow Creates a Temporary File With Insecure Permissions
ghsa·2026-05-18·CVSS 7.0
CVE-2026-4137 [HIGH] CWE-378 MLFlow Creates a Temporary File With Insecure Permissions
MLFlow Creates a Temporary File With Insecure Permissions
In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of t
GHSA
GHSA-f2m9-wcf4-cwwx: In mlflow/mlflow versions prior to 3
ghsa_unreviewed·2026-05-18·CVSS 7.0
CVE-2026-4137 [HIGH] CWE-378 GHSA-f2m9-wcf4-cwwx: In mlflow/mlflow versions prior to 3
In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which w
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-18
Published