Skip to content

Update dependency mlflow to v3.11.1 [SECURITY]#55

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-mlflow-vulnerability
Open

Update dependency mlflow to v3.11.1 [SECURITY]#55
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-mlflow-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 5, 2026

Copy link
Copy Markdown

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
mlflow 3.3.23.11.1 age confidence

MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation

CVE-2025-14279 / GHSA-pgqp-8h46-6x4j

More information

Details

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


mlflow Creates of Temporary File in Directory with Insecure Permissions

CVE-2025-10279 / GHSA-4x5p-f36r-mxxr

More information

Details

In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the /tmp directory to exploit a race condition and overwrite .py files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0.

Severity

  • CVSS Score: 7.0 / 10 (High)
  • Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLflow has a command injection in mlflow/sagemaker/init.py

CVE-2025-14287 / GHSA-xch3-2f9x-wh9f

More information

Details

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the mlflow/sagemaker/__init__.py file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using os.system(). This allows attackers to execute arbitrary commands by supplying malicious input through the --container parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLflow Use of Default Password Authentication Bypass Vulnerability

CVE-2026-2635 / GHSA-gq3w-7jj3-x7gr

More information

Details

This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability

CVE-2026-2033 / GHSA-q2r8-vmq7-fpx2

More information

Details

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Arbitrary file write via tar traversal in mlflow

CVE-2025-15031 / GHSA-fhff-qmm8-h2fp

More information

Details

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLFlow path traversal vulnerability

CVE-2025-15036 / GHSA-vhcx-3pq2-4fvc

More information

Details

A path traversal vulnerability exists in the extract_archive_to_dir function within the mlflow/pyfunc/dbconnect_artifact_cache.py file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.

Severity

  • CVSS Score: 9.6 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLflow Command Injection vulnerability

CVE-2025-15379 / GHSA-r23q-823p-vmf7

More information

Details

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the _install_model_dependencies_to_env() function. When deploying a model with env_manager=LOCAL, MLflow reads dependency specifications from the model artifact's python_env.yaml file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.1.

Severity

  • CVSS Score: 10.0 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint

CVE-2026-33866 / GHSA-46r5-x6jq-v8g6

More information

Details

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.

This issue affects MLflow version through 3.10.1

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface

CVE-2026-33865 / GHSA-fh64-r2vc-xvhr

More information

Details

MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.

This issue affects MLflow version through 3.10.1

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLflow Has a Server-Side Request Forgery (SSRF) Vulnerability

CVE-2026-2393 / GHSA-65h7-c7c4-mghx

More information

Details

A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The _create_webhook() function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the _send_webhook_request() function in mlflow/webhooks/delivery.py sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem

CVE-2026-2614 / GHSA-42h5-h8qh-vv9v

More information

Details

A vulnerability in the _create_model_version() handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag mlflow.prompt.is_prompt, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The get_model_version_artifact_handler() function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Mlflow: Command Injection when serving models with enable_mlserver=True

CVE-2026-0596 / GHSA-rvhj-8chj-8v3c

More information

Details

A command injection vulnerability exists in Mlflow when serving a model with enable_mlserver=True. The model_uri is embedded directly into a shell command executed via bash -c without proper sanitization. If the model_uri contains shell metacharacters, such as $() or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.

Severity

  • CVSS Score: 9.6 / 10 (Critical)
  • Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLflow: unauthenticated access to certain FastAPI routes

CVE-2026-2652 / GHSA-75cm-x2w3-8mgf

More information

Details

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (--app-name basic-auth) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on /gateway/ routes, leaving other routes such as the Job API (/ajax-api/3.0/jobs/*) and the OpenTelemetry trace ingestion API (/v1/traces) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the _find_fastapi_validator() function fails to handle non-/gateway/ paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLFlow Creates a Temporary File With Insecure Permissions

CVE-2026-4137 / GHSA-f2m9-wcf4-cwwx

More information

Details

In mlflow/mlflow versions prior to 3.11.0, the get_or_create_nfs_tmp_dir() function in mlflow/utils/file_utils.py creates temporary directories with world-writable permissions (0o777), and the _create_model_downloading_tmp_dir() function in mlflow/pyfunc/__init__.py creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via cloudpickle.load(). This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.

Severity

  • CVSS Score: 7.0 / 10 (High)
  • Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


MLflow authenticated users can enumerate any registered model versions due to lack of per-model permissions checks

CVE-2026-2734 / GHSA-w5xq-c4pf-ghq7

More information

Details

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of SearchModelVersions in the BEFORE_REQUEST_VALIDATORS and AFTER_REQUEST_HANDLERS for the REST API, and its omission from GraphQLAuthorizationMiddleware.PROTECTED_FIELDS for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

mlflow/mlflow (mlflow)

v3.11.1

MLflow 3.11.1 includes several major features and improvements.

Major New Features:

  • 🔍 Automatic Issue Identification: Automatically identify quality issues in your agent with AI! Use the new "Detect Issues" button in the traces table to analyze selected traces and surface potential problems across categories like correctness, safety, and performance. Issues are linked directly to traces for easy investigation and debugging. Docs (#​21431, #​21204, #​21165, #​21163, #​21161, @​smoorjani, @​serena-ruan)
  • 💰 Gateway Budget Alerts & Limits: Control your AI Gateway spending with configurable budget policies! Set spending limits by time window (daily, weekly, or monthly), receive alerts before hitting limits, and prevent runaway costs with automatic request blocking. The new budget management UI lets you track spending, configure webhooks for notifications, and monitor violations across all your gateway endpoints. Docs (#​21116, #​21534, #​21569, #​21473, #​21108, @​TomeHirata, @​copilot-swe-agent)
  • 📊 Trace Graph View: Visualize complex trace hierarchies with an interactive graph view! Navigate multi-level trace structures, understand parent-child relationships at a glance, and debug complex systems more effectively with a visual representation of your trace topology. Docs (#​20607, @​joelrobin18)
  • 🌐 Native OpenTelemetry GenAI Convention Support: MLflow now natively supports the OpenTelemetry GenAI Semantic Conventions for trace export! When exporting traces via OTLP with MLFLOW_ENABLE_OTEL_GENAI_SEMCONV enabled, MLflow automatically translates them to follow the OTel GenAI semantic conventions, enabling seamless integration with OTel-compatible observability platforms while preserving GenAI-specific metadata. Docs (#​21494, #​21495, @​B-Step62)
  • 🔧 OpenCode Tracing Integration: Debug smarter with OpenCode CLI integration! Track and analyze code execution flows directly from your development workflow, making it easier to identify performance bottlenecks and trace issues back to specific code paths. Docs (#​20133, @​joelrobin18)
  • Native UV Support for Model Dependencies: Automatic dependency inference now supports UV! MLflow automatically detects UV projects and captures exact, locked dependencies from your lockfile when logging models, ensuring reproducible environments. Docs (#​20344, #​20935, @​debu-sinha)
  • 🔒 Pickle-Free Model Serialization: Enhance security with pickle-free model formats! MLflow now supports safer model serialization using torch.export and skops formats, with improved controls when MLFLOW_ALLOW_PICKLE_DESERIALIZATION=False. Comprehensive documentation guides you through migrating existing models to pickle-free formats for production deployments. Docs (#​21404, #​21188, #​20774, @​WeichenXu123)

Breaking Changes:

  • ⚠️ TypeScript SDK Package Renaming: The MLflow TypeScript SDK packages have been renamed to use npm organization scoping. If you're using the TypeScript SDK, update your package.json dependencies and import statements: mlflow-tracing@mlflow/core, mlflow-openai@mlflow/openai, mlflow-anthropic@mlflow/anthropic, mlflow-gemini@mlflow/gemini. All packages are now at version 0.2.0. (#​20792, @​B-Step62)
  • Remove MLFLOW_ENABLE_INCREMENTAL_SPAN_EXPORT environment variable (#​22182, @​PattaraS)
  • Remove litellm and gepa from genai extras (#​22059, @​TomeHirata)
  • Block / and : in Registered Model names (#​21458, @​Bhuvan-08)

Features:

Bug fixes:

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/pypi-mlflow-vulnerability branch from cf41a76 to dbc0162 Compare May 20, 2026 14:11
@renovate renovate Bot force-pushed the renovate/pypi-mlflow-vulnerability branch from dbc0162 to 12124b4 Compare June 12, 2026 14:12
@renovate renovate Bot force-pushed the renovate/pypi-mlflow-vulnerability branch from 12124b4 to 3c1cc0e Compare June 23, 2026 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants