Update dependency mlflow to v3.11.1 [SECURITY]#55
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
cf41a76 to
dbc0162
Compare
dbc0162 to
12124b4
Compare
12124b4 to
3c1cc0e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.3.2→3.11.1MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation
CVE-2025-14279 / GHSA-pgqp-8h46-6x4j
More information
Details
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
mlflow Creates of Temporary File in Directory with Insecure Permissions
CVE-2025-10279 / GHSA-4x5p-f36r-mxxr
More information
Details
In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the
/tmpdirectory to exploit a race condition and overwrite.pyfiles in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0.Severity
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLflow has a command injection in mlflow/sagemaker/init.py
CVE-2025-14287 / GHSA-xch3-2f9x-wh9f
More information
Details
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the
mlflow/sagemaker/__init__.pyfile at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed usingos.system(). This allows attackers to execute arbitrary commands by supplying malicious input through the--containerparameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.Severity
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLflow Use of Default Password Authentication Bypass Vulnerability
CVE-2026-2635 / GHSA-gq3w-7jj3-x7gr
More information
Details
This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.
Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
CVE-2026-2033 / GHSA-q2r8-vmq7-fpx2
More information
Details
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account.
Severity
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Arbitrary file write via tar traversal in mlflow
CVE-2025-15031 / GHSA-fhff-qmm8-h2fp
More information
Details
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of
tarfile.extractallwithout path validation enables crafted tar.gz files containing..or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.Severity
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLFlow path traversal vulnerability
CVE-2025-15036 / GHSA-vhcx-3pq2-4fvc
More information
Details
A path traversal vulnerability exists in the
extract_archive_to_dirfunction within themlflow/pyfunc/dbconnect_artifact_cache.pyfile of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLflow Command Injection vulnerability
CVE-2025-15379 / GHSA-r23q-823p-vmf7
More information
Details
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the
_install_model_dependencies_to_env()function. When deploying a model withenv_manager=LOCAL, MLflow reads dependency specifications from the model artifact'spython_env.yamlfile and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.1.Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint
CVE-2026-33866 / GHSA-46r5-x6jq-v8g6
More information
Details
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
CVE-2026-33865 / GHSA-fh64-r2vc-xvhr
More information
Details
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLflow Has a Server-Side Request Forgery (SSRF) Vulnerability
CVE-2026-2393 / GHSA-65h7-c7c4-mghx
More information
Details
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The
_create_webhook()function inmlflow/server/handlers.pyaccepts a user-controlledurlparameter without validation, and the_send_webhook_request()function inmlflow/webhooks/delivery.pysends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.Severity
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem
CVE-2026-2614 / GHSA-42h5-h8qh-vv9v
More information
Details
A vulnerability in the
_create_model_version()handler ofmlflow/server/handlers.pyin mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when aCreateModelVersionrequest includes the tagmlflow.prompt.is_prompt, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. Theget_model_version_artifact_handler()function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mlflow: Command Injection when serving models with enable_mlserver=True
CVE-2026-0596 / GHSA-rvhj-8chj-8v3c
More information
Details
A command injection vulnerability exists in Mlflow when serving a model with
enable_mlserver=True. Themodel_uriis embedded directly into a shell command executed viabash -cwithout proper sanitization. If themodel_uricontains shell metacharacters, such as$()or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.Severity
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLflow: unauthenticated access to certain FastAPI routes
CVE-2026-2652 / GHSA-75cm-x2w3-8mgf
More information
Details
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (
--app-name basic-auth) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on/gateway/routes, leaving other routes such as the Job API (/ajax-api/3.0/jobs/*) and the OpenTelemetry trace ingestion API (/v1/traces) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the_find_fastapi_validator()function fails to handle non-/gateway/paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLFlow Creates a Temporary File With Insecure Permissions
CVE-2026-4137 / GHSA-f2m9-wcf4-cwwx
More information
Details
In mlflow/mlflow versions prior to 3.11.0, the
get_or_create_nfs_tmp_dir()function inmlflow/utils/file_utils.pycreates temporary directories with world-writable permissions (0o777), and the_create_model_downloading_tmp_dir()function inmlflow/pyfunc/__init__.pycreates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized viacloudpickle.load(). This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.Severity
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
MLflow authenticated users can enumerate any registered model versions due to lack of per-model permissions checks
CVE-2026-2734 / GHSA-w5xq-c4pf-ghq7
More information
Details
In mlflow/mlflow versions up to 3.9.0, the
SearchModelVersionsREST API endpoint and themlflowSearchModelVersionsGraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence ofSearchModelVersionsin theBEFORE_REQUEST_VALIDATORSandAFTER_REQUEST_HANDLERSfor the REST API, and its omission fromGraphQLAuthorizationMiddleware.PROTECTED_FIELDSfor GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0.Severity
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
mlflow/mlflow (mlflow)
v3.11.1MLflow 3.11.1 includes several major features and improvements.
Major New Features:
MLFLOW_ENABLE_OTEL_GENAI_SEMCONVenabled, MLflow automatically translates them to follow the OTel GenAI semantic conventions, enabling seamless integration with OTel-compatible observability platforms while preserving GenAI-specific metadata. Docs (#21494, #21495, @B-Step62)torch.exportandskopsformats, with improved controls whenMLFLOW_ALLOW_PICKLE_DESERIALIZATION=False. Comprehensive documentation guides you through migrating existing models to pickle-free formats for production deployments. Docs (#21404, #21188, #20774, @WeichenXu123)Breaking Changes:
package.jsondependencies and import statements:mlflow-tracing→@mlflow/core,mlflow-openai→@mlflow/openai,mlflow-anthropic→@mlflow/anthropic,mlflow-gemini→@mlflow/gemini. All packages are now at version0.2.0. (#20792, @B-Step62)MLFLOW_ENABLE_INCREMENTAL_SPAN_EXPORTenvironment variable (#22182, @PattaraS)litellmandgepafromgenaiextras (#22059, @TomeHirata)/and:in Registered Model names (#21458, @Bhuvan-08)Features:
MetaPromptOptimizerto work withoutlitellm(#22233, @TomeHirata)aiohttpas a core dependency ofmlflow(#22189, @TomeHirata)_get_provider_instancewith groq, deepseek, xai, openrouter, ollama, databricks, vertex_ai (#22148, @kriscon-db)log_spans()to eliminate per-span ORM overhead (#21954, @harupy)cost_per_tokento remove litellm dependency for cost tracking (#22046, @TomeHirata)table_prefixto experiment ID inset_experiment(#21815, @danielseong1)SqlIssuedatabase table for storing experiment issues (#21165, @serena-ruan)b2://) (#20731, @jeronimodeleon)Bug fixes:
DatabricksProviderto use OpenAI-compatible endpoint URLs (#22393, @TomeHirata)InferenceTableSpanProcessoralongsideDatabricksUCTableSpanProcessorin model serving (#22332)" (#22362, @smurching)UCSchemaLocationdestination is set in Databricks model serving (trace: null) (#22332, @smurching)tool_referencecontent blocks in Anthropic Chat UI parser (#22331, @B-Step62)uvversion requirement from0.5.0to0.6.10(#22313, @copilot-swe-agent)use_dbconnect_artifactpath inspark_udf(#22300, @franciffu723)get_provider_name()to align withmodel_prices_and_context_window.json(#22223, @TomeHirata)log_imagewith slash-containing keys: replace#with~as path separator (#22172, @copilot-swe-agent)_call_llm_via_gatewayto handlegateway:/URIs (#22153, @TomeHirata)polars_dataset.pyto fix import failure with polars<1 (#22085, @TomeHirata)huey_consumer.pypath resolution when venv bin dir is not onPATH(#22126, @copilot-swe-agent)model_providerin `calculate_cost_by_model_Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.