CVE-2026-2651
9.0 CRITICALA vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifac...
Published: 2026-05-25 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 9.0 CRITICAL
- Vector
- CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
- CWE
- CWE-862
Affected products
| Vendor | Product |
|---|---|
| lfprojects | mlflow |
Description
A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-2651
- [Patch]https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f
- [Exploit reference]https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc
- [Exploit reference]https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc
Related CVEs
Same vendor
- CVE-2026-10803 — A flaw has been found in MLflow up to 3.10.0 (3.6 LOW)
- CVE-2026-4035 — A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which... (7.7 HIGH)
- CVE-2026-3198 — MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints (6.5 MEDIUM)
- CVE-2026-2734 — In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack... (6.5 MEDIUM)
- CVE-2026-4137 — In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary d... (7.8 HIGH)
Same CWE
- CVE-2026-46645 — SQLAdmin is a flexible Admin interface for SQLAlchemy models (4.3 MEDIUM)
- CVE-2026-53634 — Sharp is a content management framework built for Laravel as a package (4.3 MEDIUM)
- CVE-2026-0272 — A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Comm...
- CVE-2026-49822 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)
- CVE-2026-49821 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)