Lfprojects Mlflow vulnerabilities
69 known vulnerabilities affecting lfprojects/mlflow.
Total CVEs
69
CISA KEV
0
Public exploits
14
Exploited in wild
2
Severity breakdown
CRITICAL15HIGH43MEDIUM9LOW2
Vulnerabilities
Page 3 of 4
CVE-2023-6709P3HIGHCVSS 8.8fixed in 2.9.22023-12-12
CVE-2023-6709 [HIGH] CWE-1336 CVE-2023-6709: Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/ml
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.
ghsanvdosv
CVE-2024-1560P3HIGHCVSS 8.1≤ 2.9.22024-04-16
CVE-2024-1560 [HIGH] CVE-2024-1560: A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artif
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function, allowing for the deletion of arbitrary directories on the server's
ghsanvdosv
CVE-2023-6940P3HIGHCVSS 8.8fixed in 2.9.22023-12-19
CVE-2023-6940 [HIGH] CWE-77 CVE-2023-6940: with only one user interaction(download a malicious config), attackers can gain full command executi
with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.
ghsanvdosv
CVE-2024-1558P3HIGHCVSS 7.5fixed in 2.12.12024-04-16
CVE-2024-1558 [HIGH] CWE-22 CVE-2024-1558: A path traversal vulnerability exists in the `_create_model_version()` function within `server/handl
A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function
ghsanvdosv
CVE-2023-30172P3HIGHCVSS 7.5fixed in 2.0.12023-05-11
CVE-2023-30172 [HIGH] CWE-22 CVE-2023-30172: A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.
A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter.
ghsanvdosv
CVE-2024-1594P3HIGHCVSS 7.5fixed in 2.11.32024-04-16
CVE-2024-1594 [HIGH] CVE-2024-1594: A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handl
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue
ghsanvdosv
CVE-2024-1593P3HIGHCVSS 7.5fixed in 2.11.32024-04-16
CVE-2024-1593 [HIGH] CWE-22 CVE-2024-1593: A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of UR
A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into t
ghsanvdosv
CVE-2026-2393P3HIGHCVSS 7.1fixed in 3.9.02026-05-11
CVE-2026-2393 [HIGH] CWE-918 CVE-2026-2393: A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_c
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. Th
nvd
CVE-2023-4033P3HIGHCVSS 7.8fixed in 2.6.02023-08-01
CVE-2023-4033 [HIGH] CWE-78 CVE-2023-4033: OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
ghsanvdosv
CVE-2025-14279P3HIGHCVSS 8.1fixed in 3.5.02026-01-12
CVE-2025-14279 [HIGH] CWE-346 CVE-2025-14279: MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of O
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the
nvd
CVE-2026-4137P3HIGHCVSS 7.8fixed in 3.11.02026-05-18
CVE-2026-4137 [HIGH] CVE-2026-4137: In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/uti
In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions
nvd
CVE-2024-27132P3CRITICALCVSS 9.6≤ 2.9.22024-02-23
CVE-2024-27132 [CRITICAL] CWE-79 CVE-2024-27132: Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.
This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.
The vulnerability stems from lack of sanitization over template variables.
ghsanvdosv
CVE-2024-27133P3CRITICALCVSS 9.6≤ 2.9.22024-02-23
CVE-2024-27133 [CRITICAL] CWE-79 CVE-2024-27133: Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted datase
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
ghsanvdosv
CVE-2023-6753P3HIGHCVSS 8.8fixed in 2.9.22023-12-13
CVE-2023-6753 [HIGH] CWE-22 CVE-2023-6753: Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.
Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.
ghsanvdosv
CVE-2026-2734P3MEDIUMCVSS 6.5fixed in 3.10.02026-05-21
CVE-2026-2734 [MEDIUM] CWE-284 CVE-2026-2734: In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSe
In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The
ghsanvd
CVE-2025-0453P3HIGHCVSS 7.5v2.17.22025-03-20
CVE-2025-0453 [HIGH] CWE-410 CVE-2025-0453: In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack
In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to un
ghsanvdosv
CVE-2025-10279P3HIGHCVSS 7.0fixed in 3.4.02026-02-02
CVE-2025-10279 [HIGH] CWE-379 CVE-2025-10279: In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is a
In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. T
nvd
CVE-2026-3198P3MEDIUMCVSS 6.5v3.9.02026-06-02
CVE-2026-3198 [MEDIUM] CWE-284 CVE-2026-3198: MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for mul
MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entries for `ListGatewaySecretInfos`, `ListGatewayEndpoints`, and `ListGatewayModelDefinitions`. This allows
nvd
CVE-2022-0736P3HIGHCVSS 7.5fixed in 1.23.12022-02-23
CVE-2022-0736 [HIGH] CWE-377 CVE-2022-0736: Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.
Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.
ghsanvdosv
CVE-2024-27134P4HIGHCVSS 7.0fixed in 2.16.02024-11-25
CVE-2024-27134 [HIGH] CWE-276 CVE-2024-27134: Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf.
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
ghsanvdosv