PyPI package
mlflow
pkg:pypi/mlflow
Vulnerabilities (66)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33866 | Med | 4.3 | <= 3.10.1 | — | Apr 7, 2026 | MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are no | |
| CVE-2026-33865 | Med | 5.4 | < 3.11.1 | 3.11.1 | Apr 7, 2026 | MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI | |
| CVE-2026-0545 | Cri | 9.8 | <= 3.10.1 | — | Apr 3, 2026 | In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_ | |
| CVE-2025-15379 | Cri | 9.8 | < 3.8.1 | 3.8.1 | Mar 30, 2026 | A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's | |
| CVE-2025-15036 | Cri | 10.0 | < 3.9.0rc0 | 3.9.0rc0 | Mar 30, 2026 | A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member pa | |
| CVE-2025-15381 | Hig | 7.1 | <= 3.8.1 | — | Mar 27, 2026 | In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and cr | |
| CVE-2025-15031 | — | < 3.9.0rc0 | 3.9.0rc0 | Mar 18, 2026 | A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape t | ||
| CVE-2025-14287 | Hig | 8.8 | < 3.8.0rc0 | 3.8.0rc0 | Mar 16, 2026 | A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without pr | |
| CVE-2026-2635 | Cri | 9.8 | < 3.8.0rc0 | 3.8.0rc0 | Feb 20, 2026 | MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_au | |
| CVE-2026-2033 | Hig | 8.1 | < 3.8.0rc0 | 3.8.0rc0 | Feb 20, 2026 | MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. | |
| CVE-2025-10279 | Hig | 7.0 | < 3.4.0rc0 | 3.4.0rc0 | Feb 2, 2026 | In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` | |
| CVE-2025-14279 | Hig | 8.1 | < 3.5.0 | 3.5.0 | Jan 12, 2026 | MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST | |
| CVE-2025-11200 | — | < 2.22.0rc0 | 2.22.0rc0 | Oct 29, 2025 | MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handl | ||
| CVE-2025-11201 | — | >= 3.0.0rc0, < 3.0.0 | 3.0.0 | Oct 29, 2025 | MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. | ||
| CVE-2025-52967 | Med | 5.8 | >= 3.0.0rc0, < 3.1.0 | 3.1.0 | Jun 23, 2025 | gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation. | |
| CVE-2025-0453 | — | <= 2.17.2 | — | Mar 20, 2025 | In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the appli | ||
| CVE-2025-1474 | — | < 2.19.0 | 2.19.0 | Mar 20, 2025 | In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for | ||
| CVE-2025-1473 | — | >= 2.17.0, < 2.20.3 | 2.20.3 | Mar 20, 2025 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user. | ||
| CVE-2024-8859 | — | < 2.17.0rc0 | 2.17.0rc0 | Mar 20, 2025 | A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is | ||
| CVE-2024-6838 | — | <= 2.13.2 | — | Mar 20, 2025 | In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a po |
- affected <= 3.10.1
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are no
- affected < 3.11.1fixed 3.11.1
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI
- affected <= 3.10.1
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_
- affected < 3.8.1fixed 3.8.1
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's
- affected < 3.9.0rc0fixed 3.9.0rc0
A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member pa
- affected <= 3.8.1
In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and cr
- CVE-2025-15031Mar 18, 2026affected < 3.9.0rc0fixed 3.9.0rc0
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape t
- affected < 3.8.0rc0fixed 3.8.0rc0
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without pr
- affected < 3.8.0rc0fixed 3.8.0rc0
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_au
- affected < 3.8.0rc0fixed 3.8.0rc0
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
- affected < 3.4.0rc0fixed 3.4.0rc0
In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py`
- affected < 3.5.0fixed 3.5.0
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST
- CVE-2025-11200Oct 29, 2025affected < 2.22.0rc0fixed 2.22.0rc0
MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handl
- CVE-2025-11201Oct 29, 2025affected >= 3.0.0rc0, < 3.0.0fixed 3.0.0
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
- affected >= 3.0.0rc0, < 3.1.0fixed 3.1.0
gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.
- CVE-2025-0453Mar 20, 2025affected <= 2.17.2
In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the appli
- CVE-2025-1474Mar 20, 2025affected < 2.19.0fixed 2.19.0
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for
- CVE-2025-1473Mar 20, 2025affected >= 2.17.0, < 2.20.3fixed 2.20.3
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.
- CVE-2024-8859Mar 20, 2025affected < 2.17.0rc0fixed 2.17.0rc0
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is
- CVE-2024-6838Mar 20, 2025affected <= 2.13.2
In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a po
Page 1 of 4