What is GHSA-42h5-h8qh-vv9v?

GHSA-42h5-h8qh-vv9v is a security advisory published by GitHub Security Advisories with High severity. MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem

Which CVE IDs does GHSA-42h5-h8qh-vv9v cover?

GHSA-42h5-h8qh-vv9v covers the following CVE IDs: CVE-2026-2614. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-42h5-h8qh-vv9v?

GHSA-42h5-h8qh-vv9v has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

Which products are affected by GHSA-42h5-h8qh-vv9v?

GHSA-42h5-h8qh-vv9v affects 1 product, including: pip/mlflow:\u003c 3.10.0.

GHSA-42h5-h8qh-vv9vHighCVSS 7.5

MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem

Vendor

GitHub Security Advisories

Published

May 11, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-2614 →

📋 Description

A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.

🎯 Affected products1

pip/mlflow:< 3.10.0

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (4)