Search for packages
| purl | pkg:pypi/mlflow@2.20.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1rkq-1ed6-fkd8
Aliases: CVE-2025-15381 GHSA-g6pg-52vf-843h |
mlflow/mlflow: mlflow/mlflow: Information disclosure and unauthorized data modification via unprotected tracing and assessment endpoints |
Affected by 5 other vulnerabilities. |
|
VCID-2p2m-e3dw-kuhs
Aliases: CVE-2025-10279 GHSA-4x5p-f36r-mxxr |
mlflow Creates of Temporary File in Directory with Insecure Permissions In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0. |
Affected by 13 other vulnerabilities. |
|
VCID-57gp-hzcs-nubp
Aliases: BIT-mlflow-2026-10803 CVE-2026-10803 PYSEC-2026-195 |
A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. |
Affected by 3 other vulnerabilities. |
|
VCID-5a75-gxh6-5bak
Aliases: CVE-2026-2033 GHSA-q2r8-vmq7-fpx2 |
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. |
Affected by 9 other vulnerabilities. |
|
VCID-b5eg-nt7k-z7fw
Aliases: CVE-2025-11201 GHSA-5cvj-7rg6-jggj |
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921. |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-cu1t-7wnm-y7hk
Aliases: BIT-mlflow-2026-33866 CVE-2026-33866 GHSA-46r5-x6jq-v8g6 PYSEC-2026-94 |
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1 |
Affected by 1 other vulnerability. |
|
VCID-g8qn-qss3-sqcc
Aliases: CVE-2025-11200 GHSA-6xj8-rrqx-r4cv |
MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916. |
Affected by 17 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-g9p5-4cqv-qfew
Aliases: BIT-mlflow-2026-33865 CVE-2026-33865 GHSA-fh64-r2vc-xvhr PYSEC-2026-93 |
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1 |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-hu7e-n16j-rubw
Aliases: CVE-2026-0545 GHSA-7qhf-v65m-g5f3 |
mlflow/mlflow: mlflow/mlflow: Unauthenticated remote code execution via unprotected job endpoints |
Affected by 1 other vulnerability. |
|
VCID-nzpp-uvn2-97dn
Aliases: CVE-2025-15379 GHSA-r23q-823p-vmf7 |
mlflow: MLflow: Arbitrary command execution via command injection in model serving container initialization. |
Affected by 9 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-q3e8-gwag-jbfd
Aliases: CVE-2025-1473 GHSA-969w-gqqr-g6j3 |
MLflow Cross-Site Request Forgery (CSRF) vulnerability A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user. |
Affected by 17 other vulnerabilities. |
|
VCID-rcqb-2498-77e2
Aliases: BIT-mlflow-2025-52967 CVE-2025-52967 GHSA-wxj7-3fx5-pp9m PYSEC-2025-52 |
gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation. |
Affected by 16 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-rkbn-tn99-rucq
Aliases: CVE-2025-14287 GHSA-xch3-2f9x-wh9f |
mlflow: MLflow: Arbitrary command execution via unsanitized container image names |
Affected by 9 other vulnerabilities. |
|
VCID-shfs-2f4g-13dm
Aliases: CVE-2025-15036 GHSA-vhcx-3pq2-4fvc |
mlflow: mlflow: Path traversal vulnerability allows arbitrary file overwrite and privilege escalation |
Affected by 5 other vulnerabilities. |
|
VCID-tbbj-9qan-ubgg
Aliases: CVE-2026-2635 GHSA-gq3w-7jj3-x7gr |
MLflow Use of Default Password Authentication Bypass Vulnerability This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. |
Affected by 9 other vulnerabilities. |
|
VCID-twnx-dt83-nuf3
Aliases: CVE-2025-14279 GHSA-pgqp-8h46-6x4j |
MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0. |
Affected by 12 other vulnerabilities. |
|
VCID-v436-quyu-1kav
Aliases: CVE-2025-15031 GHSA-fhff-qmm8-h2fp |
mlflow/mlflow: Path Traversal Vulnerability in mlflow/mlflow |
Affected by 5 other vulnerabilities. |
|
VCID-wp3u-ssnj-tyh8
Aliases: CVE-2026-0596 GHSA-rvhj-8chj-8v3c |
Mlflow: Command Injection when serving models with enable_mlserver=True A command injection vulnerability exists in Mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users. |
Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||