mlflow
PyPI75 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting mlflowpage 2 of 2
- CVE-2025-11200CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.22.0rc02025-10-29
vulnerable: 0.0.1 ... 2.9.2 (131 versions)
MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. …
- CVE-2025-11201CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.22.42025-10-29
vulnerable: 0.0.1 ... 2.9.2 (136 versions)
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not …
- CVE-2025-14279HIGHCVSS 8.1EG 8.1✓ Fixed in 3.5.02026-01-12
vulnerable: 0.0.1 ... 3.5.0rc0 (158 versions)
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections an…
- CVE-2025-14287HIGHCVSS 8.8EG 8.8✓ Fixed in 3.8.0rc02026-03-16
vulnerable: 0.0.1 ... 3.7.0rc0 (164 versions)
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container i…
- CVE-2025-1473HIGHCVSS 7.1EG 7.1✓ Fixed in 2.20.32025-03-20
vulnerable: 2.17.0 ... 2.20.2 (11 versions)
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on …
- CVE-2025-1474MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.19.02025-03-20
vulnerable: 0.0.1 ... 2.9.2 (119 versions)
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally…
- CVE-2025-15036CRITICALCVSS 10.0EG 10.0✓ Fixed in 3.9.0rc02026-03-30
vulnerable: 0.0.1 ... 3.8.1 (167 versions)
A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due t…
- CVE-2025-15379CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.8.12026-03-30
vulnerable: 0.0.1 ... 3.8.0rc0 (166 versions)
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency…
- CVE-2025-15381HIGHCVSS 7.1EG 8.12026-03-27
vulnerable: 0.0.1 ... 3.8.1 (167 versions)
In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the exp…
- CVE-2025-52967MEDIUMCVSS 5.8EG 5.8✓ Fixed in 3.1.02025-06-23
vulnerable: 0.0.1 ... v0.2.0 (159 versions)
gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.
- CVE-2026-0545HIGHCVSS 8.1EG 9.12026-04-03
vulnerable: 0.0.1 ... 3.9.0rc0 (172 versions)
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job exe…
- CVE-2026-0596HIGHCVSS 7.8EG 7.8✓ Fixed in 3.9.02026-03-31
vulnerable: 0.0.1 ... 3.9.0rc0 (169 versions)
A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` co…
- CVE-2026-10803LOWCVSS 3.6EG 3.6✓ Fixed in 3.10.12026-06-04
vulnerable: 0.0.1 ... 3.9.0rc0 (172 versions)
A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is po…
- CVE-2026-2033HIGHCVSS 7.3EG 8.1✓ Fixed in 3.8.0rc02026-02-20
vulnerable: 0.0.1 ... 3.7.0rc0 (164 versions)
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is no…
- CVE-2026-2393HIGHCVSS 7.1EG 7.1✓ Fixed in 3.9.02026-05-11
vulnerable: 0.0.1 ... 3.9.0rc0 (169 versions)
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webho…
- CVE-2026-2611CRITICALCVSS 9.6EG 9.6✓ Fixed in 3.10.02026-05-19
vulnerable: 3.10.0rc0, 3.9.0
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with …
- CVE-2026-2614HIGHCVSS 7.5EG 7.5✓ Fixed in 3.10.02026-05-11
vulnerable: 0.0.1 ... 3.9.0rc0 (171 versions)
A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue a…
- CVE-2026-2635HIGHCVSS 7.3EG 9.8✓ Fixed in 3.8.0rc02026-02-20
vulnerable: 0.0.1 ... 3.7.0rc0 (164 versions)
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The…
- CVE-2026-2652HIGHCVSS 8.6EG 8.6✓ Fixed in 3.11.02026-05-15
vulnerable: 0.0.1 ... 3.9.0rc0 (175 versions)
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI…
- CVE-2026-2734MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.10.02026-05-21
vulnerable: 0.0.1 ... 3.9.0rc0 (171 versions)
In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authentic…
- CVE-2026-3198MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.11.0rc02026-06-02
vulnerable: 0.0.1 ... 3.9.0rc0 (173 versions)
MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not inc…
- CVE-2026-33865MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.11.0rc02026-04-07
vulnerable: 0.0.1 ... 3.9.0rc0 (173 versions)
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when …
- CVE-2026-33866MEDIUMCVSS 4.3EG 4.3✓ Fixed in 3.11.0rc02026-04-07
vulnerable: 0.0.1 ... 3.9.0rc0 (173 versions)
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoi…
- CVE-2026-4035HIGHCVSS 7.7EG 9.1✓ Fixed in 3.11.02026-06-03
vulnerable: 0.0.1 ... 3.9.0rc0 (175 versions)
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlle…
- CVE-2026-4137HIGHCVSS 7.8EG 7.0✓ Fixed in 3.11.02026-05-18
vulnerable: 0.0.1 ... 3.9.0rc0 (175 versions)
In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` func…
Check whether mlflow is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for mlflow CVEs against the assets you own.
Start Free Scan →