In mlflow/mlflow versions prior to 3.11.0, the get_or_create_nfs_tmp_dir() function in mlflow/utils/file_utils.py creates temporary directories with world-writable permissions (0o777), and the _create_model_downloading_tmp_dir() function in mlflow/pyfunc/__init__.py creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via cloudpickle.load(). This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.
CVE-2026-4137
HIGHNVD 7.07.0—
EchelonGraph scoreHIGH confidence
Score 7.0 from GitHub Security Advisory (severity: HIGH) published 2026-05-18. NVD baseline CVSS 7.0; sources differ by 0.0.
Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, nvd
7.0
- CVSS v3
- 7.0
- EG Score
- 7.0(high)
- EPSS
- 0.3%
- KEV
- Not listed
Published
May 18, 2026
Last Modified
May 19, 2026
References (3)
- security@huntrhttps://github.com/mlflow/mlflow/commit/1dcbb0c2fbd1f446c328830e601ca13a28219b8a
- security@huntrhttps://huntr.com/bounties/648dc30b-76c7-4433-86b8-f43d926fd8d6
- 134c704f-9b21-4f2e-91b3-4a467353bcc0https://huntr.com/bounties/648dc30b-76c7-4433-86b8-f43d926fd8d6
Frequently asked(5)
What is CVE-2026-4137?
CVE-2026-4137 is a high vulnerability published on May 18, 2026. In mlflow/mlflow versions prior to 3.11.0, the getorcreatenfstmpdir() function in mlflow/utils/fileutils.py creates temporary directories with world-writable permissions (0o777), and the createmodeldownloadingtmp_dir() function in mlflow/pyfunc/init.py creates directories with group-writable…
When was CVE-2026-4137 disclosed?
CVE-2026-4137 was first published in the National Vulnerability Database on May 18, 2026, with the most recent update on May 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-4137 actively exploited?
CVE-2026-4137 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 0.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-4137?
CVE-2026-4137 has a CVSS v3 base score of 7.0 (NVD).
How do I remediate CVE-2026-4137?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-4137, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-4137
Is Your Infrastructure Affected by CVE-2026-4137?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.