Filtered by vendor Mlflow Subscriptions

Search

Switch to Advanced Search (Beta)
Total 4 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-11201 2 Lfprojects, Mlflow 2 Mlflow, Mlflow 2025-11-04 9.8 Critical
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921.
CVE-2025-11200 2 Lfprojects, Mlflow 2 Mlflow, Mlflow 2025-11-04 9.8 Critical
MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.
CVE-2024-8859 2 Lfprojects, Mlflow 2 Mlflow, Mlflow 2025-08-05 N/A
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.
CVE-2023-4033 2 Lfprojects, Mlflow 2 Mlflow, Mlflow 2024-11-21 7.8 High
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.