CVE-2026-4137
Description
In mlflow/mlflow versions prior to 3.11.0, the get_or_create_nfs_tmp_dir() function in mlflow/utils/file_utils.py creates temporary directories with world-writable permissions (0o777), and the _create_model_downloading_tmp_dir() function in mlflow/pyfunc/__init__.py creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via cloudpickle.load(). This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mlflowPyPI | < 3.11.0 | 3.11.0 |
Affected products
3- osv-coords2 versions
< 3.11.0+ 1 more
- (no CPE)range: < 3.11.0
- (no CPE)range: < 3.11.0
Patches
Vulnerability mechanics
References
5- github.com/mlflow/mlflow/commit/1dcbb0c2fbd1f446c328830e601ca13a28219b8anvdPatchWEB
- huntr.com/bounties/648dc30b-76c7-4433-86b8-f43d926fd8d6nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-4x5p-f36r-mxxrghsaADVISORY
- github.com/advisories/GHSA-f2m9-wcf4-cwwxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4137ghsaADVISORY
News mentions
0No linked articles in our index yet.