MLflow — CVE history (PyPI)

MLflow

30 CVEs affect the MLflow PyPI package (highest CVSS 10.0). Latest disclosed: 2026-06-04. Full CVE history sourced from NVD.

Summary

Package
MLflow (PyPI)
Total CVEs
30
Actively exploited (CISA KEV)
0
Highest CVSS
10.0
Latest disclosed
2026-06-04

Recent CVEs (top 20)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-10803Low3.62026-06-04A flaw has been found in MLflow up to 3.10.0.
CVE-2026-4035High7.72026-06-03A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlle…
CVE-2026-3198Medium6.52026-06-02MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints.
CVE-2026-2651Critical9.02026-05-25A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled.
CVE-2026-2734Medium6.52026-05-21In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled.
CVE-2026-2611Critical9.62026-05-19In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints.
CVE-2026-4137High7.82026-05-18In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` func…
CVE-2026-2652High8.62026-05-15A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI).
CVE-2026-2614High7.52026-05-11A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem.
CVE-2026-2393High7.12026-05-11A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0.
CVE-2026-338662026-04-07MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts.
CVE-2026-338652026-04-07MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface.
CVE-2025-15379Critical9.82026-03-30A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function.
CVE-2025-15036Critical10.02026-03-30A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository.
CVE-2025-15381High7.12026-03-27In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators.
CVE-2026-2635Critical9.82026-02-20MLflow Use of Default Password Authentication Bypass Vulnerability.
CVE-2026-2033High8.12026-02-20MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability.
CVE-2025-11200High8.12025-10-29MLflow Weak Password Requirements Authentication Bypass Vulnerability.
CVE-2025-11201High8.12025-10-29MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability.
CVE-2025-52967Medium5.82025-06-23gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.

All-time worst (top 10 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-15036Critical10.02026-03-30A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository.
CVE-2025-15379Critical9.82026-03-30A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function.
CVE-2026-2635Critical9.82026-02-20MLflow Use of Default Password Authentication Bypass Vulnerability.
CVE-2026-2611Critical9.62026-05-19In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints.
CVE-2026-2651Critical9.02026-05-25A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled.
CVE-2024-37061High8.82024-06-04Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.
CVE-2024-37060High8.82024-06-04Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.
CVE-2024-37059High8.82024-06-04Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.
CVE-2024-37058High8.82024-06-04Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with…
CVE-2024-37057High8.82024-06-04Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.