Lfprojects

Mlflow

77 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
Exploit
  • EPSS 0.35%
  • Veröffentlicht 02.07.2026 07:32:58
  • Zuletzt bearbeitet 06.07.2026 16:46:06

In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, ...

Exploit
  • EPSS 0.26%
  • Veröffentlicht 28.06.2026 08:30:09
  • Zuletzt bearbeitet 01.07.2026 14:03:09

A vulnerability has been found in MLflow up to 4666cffc7912ea606d592fc38d6a75e2935f65e7. The impacted element is an unknown function of the component Experiment-scoped Label Schema CRUD API. Such manipulation leads to missing authorization. It is pos...

Exploit
  • EPSS 0.1%
  • Veröffentlicht 04.06.2026 11:45:10
  • Zuletzt bearbeitet 04.06.2026 18:24:41

A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to l...

Exploit
  • EPSS 0.44%
  • Veröffentlicht 03.06.2026 07:18:08
  • Zuletzt bearbeitet 30.06.2026 03:20:29

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint....

Exploit
  • EPSS 0.24%
  • Veröffentlicht 02.06.2026 02:50:47
  • Zuletzt bearbeitet 03.06.2026 17:07:05

MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entrie...

Exploit
  • EPSS 0.35%
  • Veröffentlicht 25.05.2026 06:00:34
  • Zuletzt bearbeitet 27.06.2026 05:16:43

A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artif...

Exploit
  • EPSS 0.44%
  • Veröffentlicht 21.05.2026 03:49:38
  • Zuletzt bearbeitet 02.06.2026 01:19:07

In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user t...

Exploit
  • EPSS 0.37%
  • Veröffentlicht 19.05.2026 09:16:42
  • Zuletzt bearbeitet 27.06.2026 05:16:43

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow ...

Exploit
  • EPSS 0.19%
  • Veröffentlicht 18.05.2026 20:26:23
  • Zuletzt bearbeitet 02.06.2026 20:10:57

In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `ml...

Exploit
  • EPSS 1.5%
  • Veröffentlicht 15.05.2026 02:13:19
  • Zuletzt bearbeitet 18.05.2026 18:16:35

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission...