Lfprojects Mlflow vulnerabilities
69 known vulnerabilities affecting lfprojects/mlflow.
Total CVEs
69
CISA KEV
0
Public exploits
14
Exploited in wild
2
Severity breakdown
CRITICAL15HIGH43MEDIUM9LOW2
Vulnerabilities
Page 2 of 4
CVE-2026-2611P3CRITICALCVSS 9.6≥ 3.9.0, < 3.10.02026-05-19
CVE-2026-2611 [CRITICAL] CWE-346 CVE-2026-2611: In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attack
ghsanvd
CVE-2023-6568P3MEDIUMCVSS 6.1PoC≤ 2.9.02023-12-07
CVE-2023-6568 [MEDIUM] CWE-79 CVE-2023-6568: A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifi
A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading t
ghsanvdosv
CVE-2025-14287P3HIGHCVSS 8.8fixed in 3.7.02026-03-16
CVE-2025-14287 [HIGH] CWE-94 CVE-2025-14287: A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in th
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allow
nvd
CVE-2026-2651P3CRITICALCVSS 9.0≤ 3.10.12026-05-25
CVE-2026-2651 [CRITICAL] CWE-862 CVE-2026-2651: A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU
A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can l
ghsanvd
CVE-2024-37061P3HIGHCVSS 8.8≥ 1.11.02024-06-04
CVE-2024-37061 [HIGH] CWE-94 CVE-2024-37061: Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer,
Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.
nvd
CVE-2023-6975P3CRITICALCVSS 9.8fixed in 2.9.22023-12-20
CVE-2023-6975 [CRITICAL] CWE-29 CVE-2023-6975: A malicious user could use this issue to get command execution on the vulnerable machine and get acc
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
ghsanvdosv
CVE-2024-3573P3CRITICALCVSS 9.3fixed in 2.10.02024-04-16
CVE-2024-3573 [CRITICAL] CWE-29 CVE-2024-3573: mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exp
ghsanvdosv
CVE-2023-6976P3HIGHCVSS 8.8fixed in 2.9.22023-12-20
CVE-2023-6976 [HIGH] CWE-434 CVE-2023-6976: This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote file
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
ghsanvdosv
CVE-2026-2614P3HIGHCVSS 7.5fixed in 3.10.02026-05-11
CVE-2026-2614 [HIGH] CWE-22 CVE-2026-2614: A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/ml
A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path vali
nvd
CVE-2024-37060P3HIGHCVSS 8.8≥ 1.27.02024-06-04
CVE-2024-37060 [HIGH] CWE-502 CVE-2024-37060: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.
nvd
CVE-2024-37054P3HIGHCVSS 8.8≥ 0.9.02024-06-04
CVE-2024-37054 [HIGH] CWE-502 CVE-2024-37054: Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.
nvd
CVE-2024-37052P3HIGHCVSS 8.8≥ 1.1.02024-06-04
CVE-2024-37052 [HIGH] CWE-502 CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
nvd
CVE-2024-37055P3HIGHCVSS 8.8≥ 1.24.02024-06-04
CVE-2024-37055 [HIGH] CWE-502 CVE-2024-37055: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.
nvd
CVE-2024-37053P3HIGHCVSS 8.8≥ 1.1.02024-06-04
CVE-2024-37053 [HIGH] CWE-502 CVE-2024-37053: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
nvd
CVE-2024-37056P3HIGHCVSS 8.8≥ 1.23.02024-06-04
CVE-2024-37056 [HIGH] CWE-502 CVE-2024-37056: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.
nvd
CVE-2024-37059P3HIGHCVSS 8.8≥ 0.5.02024-06-04
CVE-2024-37059 [HIGH] CWE-502 CVE-2024-37059: Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.
nvd
CVE-2024-37058P3HIGHCVSS 8.8≥ 2.5.02024-06-04
CVE-2024-37058 [HIGH] CWE-502 CVE-2024-37058: Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.
nvd
CVE-2024-37057P3HIGHCVSS 8.8≥ 2.0.02024-06-04
CVE-2024-37057 [HIGH] CWE-502 CVE-2024-37057: Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.
nvd
CVE-2026-4035P3HIGHCVSS 7.7fixed in 3.11.02026-06-03
CVE-2026-4035 [HIGH] CWE-201 CVE-2026-4035: A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment v
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which
nvd
CVE-2023-6015P3HIGHCVSS 7.5fixed in 2.8.12023-11-16
CVE-2023-6015 [HIGH] CWE-22 CVE-2023-6015: MLflow allowed arbitrary files to be PUT onto the server.
MLflow allowed arbitrary files to be PUT onto the server.
ghsanvdosv