VYPR
Vendor

Mlflow

Products
7
CVEs
91
Across products
91
Status
Private

Products

7

Recent CVEs

91
View all 91 CVEs →
  • CVE-2026-0545CriApr 3, 2026
    risk 0.65cvss 9.8epss 0.04

    In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled…

  • CVE-2025-34072CriJul 2, 2025
    risk 0.60cvss epss 0.00

    A data exfiltration vulnerability exists in Anthropic’s deprecated Slack Model Context Protocol (MCP) Server via automatic link unfurling. When an AI agent using the Slack MCP Server processes untrusted data, it can be manipulated to generate messages containing…

  • CVE-2025-68145CriDec 17, 2025
    risk 0.59cvss 9.1epss 0.06

    In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that configured path. This could…

  • CVE-2025-15036CriMar 30, 2026
    risk 0.58cvss 10.0epss 0.01

    A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member…

  • CVE-2025-15379CriMar 30, 2026
    risk 0.57cvss 9.8epss 0.02

    A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model…

  • CVE-2026-2635CriFeb 20, 2026
    risk 0.57cvss 9.8epss 0.01

    MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the…

  • CVE-2026-2611CriMay 19, 2026
    risk 0.55cvss 9.6epss 0.00

    In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a…

  • CVE-2026-2651CriMay 25, 2026
    risk 0.52cvss 9.0epss 0.00

    A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints,…

  • CVE-2025-68143HigDec 17, 2025
    risk 0.51cvss 8.8epss 0.08

    Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target…

  • CVE-2025-14287HigMar 16, 2026
    risk 0.50cvss 8.8epss 0.01

    A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without…

  • CVE-2026-2652HigMay 15, 2026
    risk 0.49cvss 8.6epss 0.01

    A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces…

  • CVE-2026-34742HigApr 2, 2026
    risk 0.46cvss 8.1epss 0.00

    The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with…

  • CVE-2025-15381HigMar 27, 2026
    risk 0.46cvss 7.1epss 0.00

    In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and…

  • CVE-2026-2033HigFeb 20, 2026
    risk 0.46cvss 8.1epss 0.02

    MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this…

  • CVE-2025-14279HigJan 12, 2026
    risk 0.46cvss 8.1epss 0.00

    MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against…

  • CVE-2025-68144HigDec 17, 2025
    risk 0.46cvss 7.1epss 0.07

    In mcp-server-git versions prior to 2025.12.17, the git_diff and git_checkout functions passed user-controlled arguments directly to git CLI commands without sanitization. Flag-like values (e.g., `--output=/path/to/file` for `git_diff`) would be interpreted as command-line…

  • CVE-2026-4137HigMay 18, 2026
    risk 0.44cvss 7.8epss 0.00

    In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py`…

  • CVE-2026-0596HigMar 31, 2026
    risk 0.44cvss 7.8epss 0.01

    A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as…

  • CVE-2026-4035HigJun 3, 2026
    risk 0.43cvss 7.7epss 0.00

    A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because…

  • CVE-2026-2614HigMay 11, 2026
    risk 0.42cvss 7.5epss 0.01

    A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion`…