mlflow
PyPI64 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting mlflowpage 1 of 2
- CVE-2022-0736HIGHCVSS 7.5EG 7.5✓ Fixed in 1.23.12022-02-23
vulnerable: 0.0.1 ... 1.9.1 (52 versions)
Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.
- CVE-2023-1176LOWCVSS 3.3EG 3.3✓ Fixed in 2.2.22023-03-24
vulnerable: 0.0.1 ... 2.2.1 (70 versions)
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2.
- CVE-2023-1177CRITICALCVSS 9.3EG 9.3✓ Fixed in 2.2.12023-03-24
vulnerable: 0.0.1 ... 2.2.0 (69 versions)
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
- CVE-2023-2356HIGHCVSS 7.5EG 9.0✓ Fixed in 2.3.12023-04-28
vulnerable: 0.0.1 ... 2.3.0 (72 versions)
Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.
- CVE-2023-2780CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.3.12023-05-17
vulnerable: 0.0.1 ... 2.3.0 (72 versions)
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.
- CVE-2023-30172HIGHCVSS 7.5EG 7.5✓ Fixed in 2.0.12023-05-11
vulnerable: 0.0.1 ... 2.0.0rc0 (65 versions)
A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter.
- CVE-2023-3765CRITICALCVSS 10.0EG 10.0✓ Fixed in 2.5.02023-07-19
vulnerable: 0.0.1 ... 2.4.2 (77 versions)
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.
- CVE-2023-4033HIGHCVSS 7.8EG 7.8✓ Fixed in 2.6.02023-08-01
vulnerable: 0.0.1 ... 2.5.0 (78 versions)
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
- CVE-2023-43472HIGHCVSS 7.5EG 7.5✓ Fixed in 2.9.02023-12-05
vulnerable: 0.0.1 ... 2.8.1 (83 versions)
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.
- CVE-2023-6014CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.8.02023-11-16
vulnerable: 0.0.1 ... 2.7.1 (81 versions)
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.
- CVE-2023-6015HIGHCVSS 7.5EG 7.5✓ Fixed in 2.8.12023-11-16
vulnerable: 0.0.1 ... 2.8.0 (82 versions)
MLflow allowed arbitrary files to be PUT onto the server.
- CVE-2023-6018CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.9.22023-11-16
vulnerable: 0.0.1 ... 2.9.1 (85 versions)
An attacker can overwrite any file on the server hosting MLflow without any authentication.
- CVE-2023-6568MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.9.12023-12-07
vulnerable: 0.0.1 ... 2.9.0 (84 versions)
A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Ty…
- CVE-2023-6709HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.22023-12-12
vulnerable: 0.0.1 ... 2.9.1 (85 versions)
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.
- CVE-2023-6753HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.22023-12-13
vulnerable: 0.0.1 ... 2.9.1 (85 versions)
Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.
- CVE-2023-6831HIGHCVSS 8.1EG 8.1✓ Fixed in 2.9.22023-12-15
vulnerable: 0.0.1 ... 2.9.1 (85 versions)
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
- CVE-2023-6909HIGHCVSS 7.5EG 7.5✓ Fixed in 2.9.22023-12-18
vulnerable: 0.0.1 ... 2.9.1 (85 versions)
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
- CVE-2023-6940HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.22023-12-19
vulnerable: 0.0.1 ... 2.9.1 (85 versions)
with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.
- CVE-2023-6974CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.9.22023-12-20
vulnerable: 0.0.1 ... 2.9.1 (85 versions)
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.
- CVE-2023-6975CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.9.22023-12-20
vulnerable: 0.0.1 ... 2.9.1 (85 versions)
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.
- CVE-2023-6976HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.22023-12-20
vulnerable: 0.0.1 ... 2.9.1 (85 versions)
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.
- CVE-2023-6977HIGHCVSS 7.5EG 7.5✓ Fixed in 2.9.22023-12-20
vulnerable: 0.0.1 ... 2.9.1 (85 versions)
This vulnerability enables malicious users to read sensitive files on the server.
- CVE-2024-0520HIGHCVSS 8.8EG 8.8✓ Fixed in 2.9.02024-06-06
vulnerable: 0.0.1 ... 2.8.1 (83 versions)
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specific…
- CVE-2024-1483HIGHCVSS 7.5EG 7.5✓ Fixed in 2.12.12024-04-16
vulnerable: 0.0.1 ... 2.9.2 (95 versions)
A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters…
- CVE-2024-1558HIGHCVSS 7.5EG 7.5✓ Fixed in 2.12.12024-04-16
vulnerable: 0.0.1 ... 2.9.2 (95 versions)
A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by …
- CVE-2024-1560HIGHCVSS 8.1EG 8.12024-04-16
vulnerable: 0.0.1 ... 2.9.2 (86 versions)
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_…
- CVE-2024-1593HIGHCVSS 7.5EG 7.52024-04-16
vulnerable: 0.0.1 ... 2.9.2 (86 versions)
A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the U…
- CVE-2024-1594HIGHCVSS 7.5EG 7.52024-04-16
vulnerable: 0.0.1 ... 2.9.2 (86 versions)
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment componen…
- CVE-2024-27132HIGHCVSS 7.5EG 7.5✓ Fixed in 2.10.02024-02-23
vulnerable: 0.0.1 ... 2.9.2 (86 versions)
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over templat…
- CVE-2024-27133HIGHCVSS 7.5EG 7.5✓ Fixed in 2.10.02024-02-23
vulnerable: 0.0.1 ... 2.9.2 (86 versions)
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization ove…
- CVE-2024-27134HIGHCVSS 7.0EG 7.0✓ Fixed in 2.16.02024-11-25
vulnerable: 0.0.1 ... 2.9.2 (109 versions)
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when t…
- CVE-2024-2928HIGHCVSS 7.5EG 9.0✓ Fixed in 2.11.32024-06-06
vulnerable: 0.0.1 ... 2.9.2 (92 versions)
A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for d…
- CVE-2024-3099MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.11.32024-06-06
vulnerable: 0.0.1 ... 2.9.2 (92 versions)
A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the i…
- CVE-2024-3573CRITICALCVSS 9.3EG 9.3✓ Fixed in 2.10.02024-04-16
vulnerable: 0.0.1 ... 2.9.2 (86 versions)
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly …
- CVE-2024-37052HIGHCVSS 8.8EG 8.82024-06-04
vulnerable: 1.1.0 ... 2.9.2 (83 versions)
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37053HIGHCVSS 8.8EG 8.82024-06-04
vulnerable: 1.1.0 ... 2.9.2 (83 versions)
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37054HIGHCVSS 8.8EG 8.82024-06-04
vulnerable: 0.9.0 ... 2.9.2 (87 versions)
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37055HIGHCVSS 8.8EG 8.82024-06-04
vulnerable: 1.24.0 ... 2.9.2 (50 versions)
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37056HIGHCVSS 8.8EG 8.82024-06-04
vulnerable: 1.23.0 ... 2.9.2 (52 versions)
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted wit…
- CVE-2024-37057HIGHCVSS 8.8EG 8.82024-06-04
vulnerable: 2.0.0 ... 2.9.2 (40 versions)
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37058HIGHCVSS 8.8EG 8.82024-06-04
vulnerable: 2.10.0 ... 2.9.2 (26 versions)
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted wi…
- CVE-2024-37059HIGHCVSS 8.8EG 8.82024-06-04
vulnerable: 0.5.0 ... 3.4.0rc0 (149 versions)
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37060HIGHCVSS 8.8EG 8.82024-06-04
vulnerable: 1.27.0 ... 2.9.2 (45 versions)
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.
- CVE-2024-37061HIGHCVSS 8.8EG 8.82024-06-04
vulnerable: 1.11.0 ... 2.9.2 (65 versions)
Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.
- CVE-2024-3848HIGHCVSS 7.5EG 7.5✓ Fixed in 2.12.12024-05-16
vulnerable: 0.0.1 ... 2.9.2 (95 versions)
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can …
- CVE-2024-4263MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.10.12024-05-16
vulnerable: 0.0.1 ... 2.9.2 (87 versions)
A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation fo…
- CVE-2025-10279HIGHCVSS 7.0EG 7.0✓ Fixed in 3.4.0rc02026-02-02
vulnerable: 0.0.1 ... 3.3.2 (155 versions)
In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exp…
- CVE-2025-11200CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.22.0rc02025-10-29
vulnerable: 0.0.1 ... 2.9.2 (131 versions)
MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. …
- CVE-2025-14279HIGHCVSS 8.1EG 8.1✓ Fixed in 3.5.02026-01-12
vulnerable: 0.0.1 ... 3.5.0rc0 (158 versions)
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections an…
- CVE-2025-14287HIGHCVSS 8.8EG 8.8✓ Fixed in 3.8.0rc02026-03-16
vulnerable: 0.0.1 ... 3.7.0rc0 (164 versions)
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container i…
Check whether mlflow is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for mlflow CVEs against the assets you own.
Start Free Scan →