CVE-2026-2652

< 3.10.0

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the serve

8.6HIGH

CVE-2026-33866

<= 3.10.1

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing

4.3MEDIUM

CVE-2026-33865

<= 3.10.1

MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web inte

5.4MEDIUM

CVE-2026-0545

all versions

In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/* are not protected by authentication or authorization when

9.8CRITICAL

CVE-2026-0596

all versions

A command injection vulnerability exists in mlflow/mlflow when serving a model with enable_mlserver=True. The model_uri is emb

7.8HIGH

CVE-2025-15379

>= 3.8.0 and <= 3.8.1

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_mo

9.8CRITICAL

CVE-2025-15036

< 3.9.0

A path traversal vulnerability exists in the extract_archive_to_dir function within the `mlflow/pyfunc/dbconnect_artifact_cache.

10.0CRITICAL

CVE-2025-15381

all versions

In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected b

7.1HIGH

CVE-2025-15031

<= 3.10.1

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive ent

9.1CRITICAL

CVE-2025-14287

< 3.7.0

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.p

8.8HIGH

CVE-2025-10279

< 3.4.0

In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writabl

7.0HIGH

CVE-2025-14279

< 3.5.0

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the

8.1HIGH

CVE-2025-11201

< 2025-06-10

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote at

9.8CRITICAL

CVE-2025-11200

<= 2.21.0

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authen

9.8CRITICAL

CVE-2025-1474

< 2.19.0

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could

5.5MEDIUM

CVE-2025-1473

>= 2.17.0 and < 2.20.1

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vu

7.1HIGH

CVE-2025-0453

all versions

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large

7.5HIGH

CVE-2024-8859

all versions

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenatin

7.5HIGH

CVE-2024-6838

all versions

In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number

5.3MEDIUM

CVE-2024-27134

< 2.16.0

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited

7.0HIGH

CVE-2024-3099

all versions

A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL en

5.4MEDIUM

CVE-2024-2928

< 2.11.3

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in vers

7.5HIGH

CVE-2024-0520

< 2.9.0

A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements

8.8HIGH

CVE-2024-37061

>= 1.11.0

Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted

8.8HIGH

CVE-2024-37060

>= 1.27.0

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a malicio

8.8HIGH

CVE-2024-37059

>= 0.5.0

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciou

8.8HIGH

CVE-2024-37058

>= 2.5.0

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciou

8.8HIGH

CVE-2024-37057

>= 2.0.0

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a malic

8.8HIGH

CVE-2024-37056

>= 1.23.0

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a malicio

8.8HIGH

CVE-2024-37055

>= 1.24.0

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a malicio

8.8HIGH

CVE-2024-37054

>= 0.9.0

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciou

8.8HIGH

CVE-2024-37053

>= 1.1.0

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciou

8.8HIGH

CVE-2024-37052

>= 1.1.0

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciou

8.8HIGH

CVE-2024-4263

< 2.12.1

A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT per

5.4MEDIUM

CVE-2024-3848

< 2.12.1

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-202

7.5HIGH

CVE-2024-3573

< 2.10.0

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and

9.3CRITICAL

CVE-2024-1594

< 2.11.3

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the artifact_location

7.5HIGH

CVE-2024-1593

< 2.11.3

A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling pat

7.5HIGH

CVE-2024-1560

<= 2.9.2

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. At

8.1HIGH

CVE-2024-1558

< 2.12.1

A path traversal vulnerability exists in the _create_model_version() function within server/handlers.py of the mlflow/mlflow r

7.5HIGH

CVE-2024-1483

< 2.12.1

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server.

7.5HIGH

CVE-2024-27133

<= 2.9.2

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a clien

7.5HIGH

CVE-2024-27132

<= 2.9.2

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when run

7.5HIGH

CVE-2023-6977

>= 1.0.0 and < 2.9.2

This vulnerability enables malicious users to read sensitive files on the server.

7.5HIGH

CVE-2023-6976

< 2.9.2

This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the s

8.8HIGH

CVE-2023-6975

< 2.9.2

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models informati

9.8CRITICAL

CVE-2023-6974

< 2.9.2

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abus

9.8CRITICAL

CVE-2023-6940

< 2.9.2

with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.

8.8HIGH

CVE-2023-6909

< 2.9.2

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

7.5HIGH

CVE-2023-6831

< 2.9.2

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

8.1HIGH

CVE-2023-6753

< 2.9.2

Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.

8.8HIGH

CVE-2023-6709

< 2.9.2

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

8.8HIGH

CVE-2023-6568

<= 2.9.0

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of t

6.1MEDIUM

CVE-2023-43472

<= 2.8.1

An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to RES

7.5HIGH

CVE-2023-6014

all versions

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.

9.8CRITICAL

CVE-2023-6018

all versions

An attacker can overwrite any file on the server hosting MLflow without any authentication.

9.8CRITICAL

CVE-2023-6015

< 2.8.1

MLflow allowed arbitrary files to be PUT onto the server.

7.5HIGH

CVE-2023-4033

< 2.6.0

OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.

7.8HIGH

CVE-2023-3765

< 2.5.0

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.

10.0CRITICAL

CVE-2023-2780

< 2.3.1

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.

9.8CRITICAL

CVE-2023-30172

< 2.0.1

A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read a

7.5HIGH

CVE-2023-2356

< 2.3.1

Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.

7.5HIGH

CVE-2023-1177

< 2.2.1

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

9.3CRITICAL

CVE-2023-1176

< 2.2.2

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.2.2.

3.3LOW

CVE-2022-0736

< 1.23.1

Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.

7.5HIGH