VYPR

Bitnami package

mlflow

pkg:bitnami/mlflow

Vulnerabilities (73)

  • CVE-2026-10803LowJun 4, 2026
    affected < 3.10.1fixed 3.10.1

    A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local

  • CVE-2026-4035HigJun 3, 2026
    affected < 3.11.0fixed 3.11.0

    A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the

  • CVE-2026-3198MedJun 2, 2026
    affected >= 3.9.0, < 3.10.0fixed 3.10.0

    MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entries for `ListGatewaySecretInfos`

  • CVE-2026-2651CriMay 25, 2026
    affected < 3.11.1fixed 3.11.1

    A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enablin

  • CVE-2026-2734MedMay 21, 2026
    affected < 3.10.0fixed 3.10.0

    In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions

  • CVE-2026-2611CriMay 19, 2026
    affected >= 3.9.0, < 3.10.0fixed 3.10.0

    In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim'

  • CVE-2026-4137HigMay 18, 2026
    affected < 3.11.0fixed 3.11.0

    In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creat

  • CVE-2026-2652HigMay 15, 2026
    affected < 3.10.0fixed 3.10.0

    A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces auth

  • CVE-2026-2614HigMay 11, 2026
    affected < 3.10.0fixed 3.10.0

    A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request

  • CVE-2026-2393HigMay 11, 2026
    affected < 3.9.0fixed 3.9.0

    A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhook

  • CVE-2026-33866MedApr 7, 2026
    affected < 3.11.1fixed 3.11.1

    MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are no

  • CVE-2026-33865MedApr 7, 2026
    affected < 3.11.1fixed 3.11.1

    MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI

  • CVE-2026-0596HigMar 31, 2026
    affected < 3.11.1fixed 3.11.1

    A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()

  • CVE-2025-15379CriMar 30, 2026
    affected >= 3.8.0, < 3.9.0fixed 3.9.0

    A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's

  • CVE-2025-15036CriMar 30, 2026
    affected < 3.9.0fixed 3.9.0

    A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member pa

  • CVE-2025-15031Mar 18, 2026
    affected < 3.11.1fixed 3.11.1

    A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape t

  • CVE-2025-14287HigMar 16, 2026
    affected < 3.7.0fixed 3.7.0

    A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without pr

  • CVE-2025-10279HigFeb 2, 2026
    affected < 3.4.0fixed 3.4.0

    In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py`

  • CVE-2025-14279HigJan 12, 2026
    affected < 3.5.0fixed 3.5.0

    MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST

  • CVE-2025-11200Oct 29, 2025
    affected < 2.21.1fixed 2.21.1

    MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handl

Page 1 of 4