Mlflow

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1

Published: 2026-04-07T12:57:44.380Z
Updated: 2026-04-14T15:12:44.168Z

MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1

Published: 2026-04-07T12:57:38.525Z
Updated: 2026-04-14T15:13:57.547Z

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.

Published: 2026-05-15T02:13:19.541Z
Updated: 2026-05-15T13:22:21.060Z

gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.

Published: 2025-06-23T00:00:00.000Z
Updated: 2025-06-23T20:12:52.209Z

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.

Published: 2025-03-20T10:10:20.888Z
Updated: 2025-03-20T18:22:53.386Z

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.

Published: 2025-03-20T10:10:20.747Z
Updated: 2025-03-20T18:22:59.873Z

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.

Published: 2026-03-30T07:16:57.610Z
Updated: 2026-03-31T13:50:57.378Z

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.

Published: 2026-03-18T22:06:47.300Z
Updated: 2026-03-19T13:52:40.477Z

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921.

Published: 2025-10-29T19:37:10.690Z
Updated: 2026-02-26T16:56:56.111Z

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.

Published: 2025-10-29T19:42:03.734Z
Updated: 2026-02-26T16:56:55.664Z

A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them.

Published: 2024-05-16T09:03:48.053Z
Updated: 2024-08-01T20:33:53.063Z

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.

Published: 2024-05-16T09:03:47.178Z
Updated: 2024-08-01T20:26:57.075Z

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.

Published: 2024-04-16T00:00:14.753Z
Updated: 2024-08-01T20:12:07.901Z

Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.

Published: 2024-06-04T12:02:23.269Z
Updated: 2024-08-02T03:43:50.824Z

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.

Published: 2024-06-04T12:02:12.858Z
Updated: 2024-08-02T03:43:50.968Z

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.

Published: 2024-06-04T12:01:58.728Z
Updated: 2024-08-02T03:43:50.934Z

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.

Published: 2024-06-04T12:01:43.266Z
Updated: 2024-08-02T03:43:50.989Z

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.

Published: 2024-06-04T12:01:28.229Z
Updated: 2024-08-02T03:43:51.015Z

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Published: 2024-06-04T12:01:09.258Z
Updated: 2024-08-02T03:43:50.908Z

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.

Published: 2024-06-04T12:00:51.438Z
Updated: 2024-08-02T03:43:50.975Z

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.

Published: 2024-06-04T12:00:34.492Z
Updated: 2024-08-02T03:43:50.887Z

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Published: 2024-06-04T12:00:15.162Z
Updated: 2024-08-02T03:43:50.998Z

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Published: 2024-06-04T11:59:35.035Z
Updated: 2024-08-02T03:43:50.871Z

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.

Published: 2024-06-06T18:29:54.973Z
Updated: 2024-08-01T19:32:42.225Z

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.

Published: 2024-11-25T13:48:05.117Z
Updated: 2024-11-25T14:23:59.324Z

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.

Published: 2024-02-23T22:00:33.124Z
Updated: 2024-08-22T18:01:49.002Z

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.

Published: 2024-02-23T21:58:59.869Z
Updated: 2024-08-14T15:28:19.332Z

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect.

Published: 2024-04-16T00:00:14.507Z
Updated: 2024-08-01T18:48:20.634Z

A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the 'params' part of the URL, enabling attacks similar to those described in previous reports but utilizing the ';' character for parameter smuggling. Successful exploitation could lead to unauthorized information disclosure or server compromise.

Published: 2024-04-16T00:00:14.123Z
Updated: 2024-08-01T18:48:20.648Z

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function, allowing for the deletion of arbitrary directories on the server's filesystem. This vulnerability is due to an extra unquote operation in the `delete_artifacts` function of `local_artifact_repo.py`, which fails to properly sanitize user-supplied paths. The issue is present up to version 2.9.2, despite attempts to fix a similar issue in CVE-2023-6831.

Published: 2024-04-16T00:00:13.649Z
Updated: 2024-08-09T20:00:20.571Z

A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function's checks, allowing for arbitrary file read access on the server. The issue arises from the handling of unquoted URL characters and the subsequent misuse of the original `source` value for model version creation, leading to the exposure of sensitive files when interacting with the `/model-versions/get-artifact` handler.

Published: 2024-04-16T00:00:14.626Z
Updated: 2024-08-01T18:40:21.526Z

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers.

Published: 2024-04-16T00:00:14.064Z
Updated: 2024-08-01T18:40:21.239Z

A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specifically, when loading a dataset from a source URL with an HTTP scheme, the filename extracted from the `Content-Disposition` header or the URL path is used to generate the final file path without proper sanitization. This flaw enables an attacker to control the file path fully by utilizing path traversal or absolute path techniques, such as '../../tmp/poc.txt' or '/tmp/poc.txt', leading to arbitrary file write. Exploiting this vulnerability could allow a malicious user to execute commands on the vulnerable machine, potentially gaining access to data and model information. The issue is fixed in version 2.9.0.

Published: 2024-06-06T18:19:36.380Z
Updated: 2025-10-15T12:50:06.675Z

This vulnerability enables malicious users to read sensitive files on the server.

Published: 2023-12-20T05:37:12.654Z
Updated: 2024-08-02T08:50:06.994Z

This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.

Published: 2023-12-20T05:30:08.540Z
Updated: 2024-08-02T08:50:06.839Z

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

Published: 2023-12-20T05:26:55.740Z
Updated: 2024-08-02T08:50:06.824Z

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.

Published: 2023-12-20T05:25:42.720Z
Updated: 2024-08-02T08:50:08.017Z

with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.

Published: 2023-12-19T01:41:12.560Z
Updated: 2025-05-07T20:26:08.729Z

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

Published: 2023-12-18T00:00:31.984Z
Updated: 2024-08-02T08:42:08.521Z

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

Published: 2023-12-15T00:00:31.210Z
Updated: 2024-08-02T08:42:07.635Z

Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.

Published: 2023-12-13T00:00:31.196Z
Updated: 2024-10-08T14:30:30.548Z

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

Published: 2023-12-12T04:05:45.542Z
Updated: 2024-10-08T19:52:57.222Z

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.

Published: 2023-12-07T04:54:10.377Z
Updated: 2024-08-02T08:35:14.502Z

MLflow allowed arbitrary files to be PUT onto the server.

Published: 2023-11-16T16:06:11.032Z
Updated: 2024-08-02T08:21:17.131Z

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.

Published: 2023-11-16T21:07:36.577Z
Updated: 2024-09-04T20:22:09.674Z

OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.

Published: 2023-08-01T00:00:20.302Z
Updated: 2024-10-15T14:13:34.900Z

An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.

Published: 2023-12-05T00:00:00.000Z
Updated: 2024-08-02T19:44:42.214Z

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.

Published: 2023-07-19T00:53:33.969Z
Updated: 2024-10-24T18:25:35.315Z

A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter.

Published: 2023-05-11T00:00:00.000Z
Updated: 2025-01-27T16:51:28.457Z

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.

Published: 2023-05-17T00:00:00.000Z
Updated: 2025-01-22T18:03:49.078Z

Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.

Published: 2023-04-28T00:00:00.000Z
Updated: 2025-01-30T20:48:28.310Z

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

Published: 2023-03-24T00:00:00.000Z
Updated: 2025-02-19T20:56:12.814Z

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2.

Published: 2023-03-24T00:00:00.000Z
Updated: 2025-02-19T20:58:08.395Z

Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.

Published: 2022-02-23T08:45:13.000Z
Updated: 2024-08-02T23:40:03.521Z