cbcvebase.

Mlflow Mlflow vulnerabilities

50 known vulnerabilities affecting mlflow/mlflow_mlflow.

Total CVEs
50
CISA KEV
0
Public exploits
14
Exploited in wild
2
Severity breakdown
CRITICAL14HIGH28MEDIUM7LOW1

Vulnerabilities

Page 2 of 3
CVE-2023-6568P3MEDIUMCVSS 6.1PoC≥ unspecified, < 2.9.02023-12-07
CVE-2023-6568 [MEDIUM] CWE-79 CVE-2023-6568: A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifi A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading t
nvd
CVE-2025-14287P3HIGHCVSS 8.8≥ unspecified, ≤ latest2026-03-16
CVE-2025-14287 [HIGH] CWE-94 CVE-2025-14287: A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in th A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allow
ghsanvdosv
CVE-2026-2651P3CRITICALCVSS 9.0≥ unspecified, < 3.10.02026-05-25
CVE-2026-2651 [CRITICAL] CWE-862 CVE-2026-2651: A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can l
cvelistv5nvd
CVE-2023-6975P3CRITICALCVSS 9.8≥ unspecified, < 2.9.22023-12-20
CVE-2023-6975 [CRITICAL] CWE-29 CVE-2023-6975: A malicious user could use this issue to get command execution on the vulnerable machine and get acc A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
nvd
CVE-2024-3573P3CRITICALCVSS 9.3≥ unspecified, < 2.10.02024-04-16
CVE-2024-3573 [CRITICAL] CWE-29 CVE-2024-3573: mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exp
nvd
CVE-2023-6976P3HIGHCVSS 8.8≥ unspecified, < 2.9.22023-12-20
CVE-2023-6976 [HIGH] CWE-434 CVE-2023-6976: This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote file This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
nvd
CVE-2026-2614P3HIGHCVSS 7.5≥ unspecified, < 3.10.02026-05-11
CVE-2026-2614 [HIGH] CWE-22 CVE-2026-2614: A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/ml A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path vali
ghsanvd
CVE-2026-4035P3HIGHCVSS 7.7≥ unspecified, < 3.11.02026-06-03
CVE-2026-4035 [HIGH] CWE-201 CVE-2026-4035: A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment v A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which
nvd
CVE-2023-6015P3HIGHCVSS 7.5≥ unspecified, ≤ latest2023-11-16
CVE-2023-6015 [HIGH] CWE-22 CVE-2023-6015: MLflow allowed arbitrary files to be PUT onto the server. MLflow allowed arbitrary files to be PUT onto the server.
nvd
CVE-2023-6709P3HIGHCVSS 8.8≥ unspecified, < 2.9.22023-12-12
CVE-2023-6709 [HIGH] CWE-1336 CVE-2023-6709: Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/ml Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.
nvd
CVE-2026-0596P3HIGHCVSS 7.8≥ unspecified, ≤ latest2026-03-31
CVE-2026-0596 [HIGH] CWE-78 CVE-2026-0596: A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker
nvd
CVE-2023-6940P3HIGHCVSS 8.8≥ unspecified, < 2.9.22023-12-19
CVE-2023-6940 [HIGH] CWE-77 CVE-2023-6940: with only one user interaction(download a malicious config), attackers can gain full command executi with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.
nvd
CVE-2024-1558P3HIGHCVSS 7.5≥ unspecified, ≤ latest2024-04-16
CVE-2024-1558 [HIGH] CWE-22 CVE-2024-1558: A path traversal vulnerability exists in the `_create_model_version()` function within `server/handl A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function
nvd
CVE-2024-1593P3HIGHCVSS 7.5≥ unspecified, ≤ latest2024-04-16
CVE-2024-1593 [HIGH] CWE-22 CVE-2024-1593: A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of UR A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into t
nvd
CVE-2026-2393P3HIGHCVSS 7.1≥ unspecified, < 3.10.02026-05-11
CVE-2026-2393 [HIGH] CWE-918 CVE-2026-2393: A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_c A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. Th
ghsanvd
CVE-2023-4033P3HIGHCVSS 7.8≥ unspecified, < 2.6.02023-08-01
CVE-2023-4033 [HIGH] CWE-78 CVE-2023-4033: OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0. OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
nvd
CVE-2025-14279P3HIGHCVSS 8.1≥ unspecified, < 3.5.02026-01-12
CVE-2025-14279 [HIGH] CWE-346 CVE-2025-14279: MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of O MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the
ghsanvdosv
CVE-2023-6753P3HIGHCVSS 8.8≥ unspecified, < 2.9.22023-12-13
CVE-2023-6753 [HIGH] CWE-22 CVE-2023-6753: Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2. Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.
nvd
CVE-2026-2734P3MEDIUMCVSS 6.5≥ unspecified, < 3.10.02026-05-21
CVE-2026-2734 [MEDIUM] CWE-284 CVE-2026-2734: In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSe In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The
nvd
CVE-2025-15381P3HIGHCVSS 7.1≥ unspecified, ≤ latest2026-03-27
CVE-2025-15381 [HIGH] CWE-200 CVE-2025-15381: In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerab
ghsanvdosv
Mlflow Mlflow vulnerabilities | cvebase