Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

MLflow — Vulnerabilities & Security Advisories 61

Browse all 61 CVE security advisories affecting MLflow. AI-powered Chinese analysis, POCs, and references for each vulnerability.

MLflow is an open-source platform designed for the machine learning lifecycle, facilitating experiment tracking, reproducibility, and deployment. Despite its utility, the software has accumulated sixty-one Common Vulnerabilities and Exposures (CVEs), indicating significant historical security debt. The most prevalent vulnerability classes involve server-side request forgery, insecure direct object references, and cross-site scripting, often stemming from inadequate input validation in its web interface. Additionally, several issues relate to improper access control, allowing unauthorized users to manipulate experiment data or execute arbitrary code through crafted requests. While no single catastrophic breach has publicly defined its history, the high volume of CVEs suggests systemic weaknesses in authentication and session management. These flaws primarily impact the integrity and confidentiality of machine learning workflows, requiring rigorous patching and secure configuration by administrators to mitigate risks associated with its widely adopted tracking and model serving components.

Found 45 results / 61Clear Filters
Top products by MLflow: mlflow/mlflow MLflow
CVE IDTitleCVSSSeverityPublished
CVE-2026-0545 Missing Authentication for Critical Function in mlflow/mlflow — mlflow/mlflowCWE-306 9.8AICriticalAI2026-04-03
CVE-2026-0596 Command Injection in mlflow/mlflow — mlflow/mlflowCWE-78 7.8 -2026-03-31
CVE-2025-15379 Command Injection in mlflow/mlflow — mlflow/mlflowCWE-77 8.8 -2026-03-30
CVE-2025-15036 Path Traversal Vulnerability in mlflow/mlflow — mlflow/mlflowCWE-29 8.4 -2026-03-30
CVE-2025-15381 Unauthorized Access to Tracing and Assessment Endpoints in mlflow/mlflow — mlflow/mlflowCWE-200 5.4 -2026-03-27
CVE-2025-15031 Path Traversal Vulnerability in mlflow/mlflow — mlflow/mlflowCWE-22 7.8 -2026-03-18
CVE-2025-14287 Command Injection in mlflow/mlflow — mlflow/mlflowCWE-94 9.8 -2026-03-15
CVE-2025-10279 Privilege Escalation in mlflow/mlflow — mlflow/mlflowCWE-379 7.0AIHighAI2026-02-02
CVE-2025-14279 DNS Rebinding Vulnerability in mlflow/mlflow — mlflow/mlflowCWE-346 8.8AIHighAI2026-01-12
CVE-2025-0453 Denial of Service through Batched Queries in GraphQL in mlflow/mlflow — mlflow/mlflowCWE-410 7.5 -2025-03-20
CVE-2025-1473 CSRF in mlflow/mlflow — mlflow/mlflowCWE-352 8.8 -2025-03-20
CVE-2025-1474 Weak Password Requirements in mlflow/mlflow — mlflow/mlflowCWE-521 9.8 -2025-03-20
CVE-2024-8859 Path Traversal in mlflow/mlflow — mlflow/mlflowCWE-29 7.5 -2025-03-20
CVE-2024-6838 Uncontrolled Resource Consumption in mlflow/mlflow — mlflow/mlflowCWE-400 8.2 -2025-03-20
CVE-2024-2928 Local File Inclusion (LFI) via URI Fragment Parsing in mlflow/mlflow — mlflow/mlflowCWE-29 7.5AIHighAI2024-06-06
CVE-2024-0520 Remote Code Execution due to Full Controlled File Write in mlflow/mlflow — mlflow/mlflowCWE-22 9.8AICriticalAI2024-06-06
CVE-2024-3099 Denial of Service and Data Model Poisoning via URL Encoding in mlflow/mlflow — mlflow/mlflowCWE-475 8.1AIHighAI2024-06-06
CVE-2024-4263 Improper Access Control in mlflow/mlflow — mlflow/mlflowCWE-284 8.1AIHighAI2024-05-16
CVE-2024-3848 Path Traversal Bypass in mlflow/mlflow — mlflow/mlflowCWE-29 7.5AIHighAI2024-05-16
CVE-2024-3573 Local File Inclusion (LFI) via Scheme Confusion in mlflow/mlflow — mlflow/mlflowCWE-29 7.5 -2024-04-16
CVE-2024-1558 Path Traversal Vulnerability in mlflow/mlflow — mlflow/mlflowCWE-22 6.5 -2024-04-16
CVE-2024-1594 Local File Read via Path Traversal in mlflow/mlflow — mlflow/mlflowCWE-22 7.5 -2024-04-16
CVE-2024-1560 Path Traversal Vulnerability in mlflow/mlflow — mlflow/mlflowCWE-22 7.5 -2024-04-16
CVE-2024-1593 Path Traversal via Parameter Smuggling in mlflow/mlflow — mlflow/mlflowCWE-22 9.1 -2024-04-16
CVE-2024-1483 Path Traversal Vulnerability in mlflow/mlflow — mlflow/mlflowCWE-22 7.5 -2024-04-16
CVE-2023-6977 Path Traversal: '\..\filename' — mlflow/mlflowCWE-29 6.5 -2023-12-20
CVE-2023-6976 Unrestricted Upload of File with Dangerous Type — mlflow/mlflowCWE-434 9.1 -2023-12-20
CVE-2023-6975 Path Traversal: '\..\filename' — mlflow/mlflowCWE-29 8.1 -2023-12-20
CVE-2023-6974 Server-Side Request Forgery (SSRF) — mlflow/mlflowCWE-918 9.8 -2023-12-20
CVE-2023-6940 Command Injection — mlflow/mlflowCWE-77 8.8 -2023-12-19

This page lists every published CVE security advisory associated with MLflow. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.