What is GHSA-f2m9-wcf4-cwwx?

GHSA-f2m9-wcf4-cwwx is a security advisory published by GitHub Security Advisories with High severity. MLFlow Creates a Temporary File With Insecure Permissions

Which CVE IDs does GHSA-f2m9-wcf4-cwwx cover?

GHSA-f2m9-wcf4-cwwx covers the following CVE IDs: CVE-2026-4137. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-f2m9-wcf4-cwwx?

GHSA-f2m9-wcf4-cwwx has a CVSS v3 base score of 7.0, published by GitHub Security Advisories.

Which products are affected by GHSA-f2m9-wcf4-cwwx?

GHSA-f2m9-wcf4-cwwx affects 1 product, including: pip/mlflow:\u003c 3.11.0.

GHSA-f2m9-wcf4-cwwxHighCVSS 7.0

MLFlow Creates a Temporary File With Insecure Permissions

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2026-4137 →

📋 Description

In mlflow/mlflow versions prior to 3.11.0, the get_or_create_nfs_tmp_dir() function in mlflow/utils/file_utils.py creates temporary directories with world-writable permissions (0o777), and the _create_model_downloading_tmp_dir() function in mlflow/pyfunc/__init__.py creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via cloudpickle.load(). This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.

🎯 Affected products1

pip/mlflow:< 3.11.0

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (5)