All Versions
Vulnerabilities (Public)
Known vulnerabilities and security issues detected in the extension's dependencies and code.
| Vulnerability ID | Advisory | Affected Versions | |||
|---|---|---|---|---|---|
| CVE-2026-0545 | Affected versions of the mlflow package are vulnerable to Missing Authentication due to the FastAPI job endpoints mounted under /ajax-api/3.0/jobs/* not enforcing authentication or authorization when … | Critical | – | – | <=3.10.1 |
| CVE-2025-15379 | MLflow Command Injection vulnerability | Critical | – | – | < 3.8.1 |
| CVE-2025-15036 | MLFlow path traversal vulnerability | Critical | – | – | < 3.9.0rc0 |
| CVE-2026-2652 | Affected versions of the mlflow package are vulnerable to Authentication Bypass due to incomplete enforcement of authentication middleware on non-gateway routes when the server is run with --app-name … | High | – | – | <3.11.0 |
| CVE-2026-2614 | MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem | High | – | – | < 3.10.0 |
| CVE-2026-2393 | MLflow Has a Server-Side Request Forgery (SSRF) Vulnerability | High | – | – | < 3.9.0 |
| CVE-2026-0596 | Mlflow: Command Injection when serving models with enable_mlserver=True | High | – | – | < 3.9.0 |
| CVE-2025-15381 | MLFlow allows Tracing + Assessments Access | High | – | – | <= 3.8.1 |
| CVE-2026-33865 | Affected versions of the mlflow package are vulnerable to Stored Cross-Site Scripting due to unsafe parsing of YAML-based MLmodel artifacts when rendered in the web interface. The web UI processes att… | Medium | – | – | <=3.10.1 |
| CVE-2026-33866 | MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint | Medium | – | – | <= 3.10.1 |
Page 1
Safety Discovered Vulnerabilities
Additional security issues found by Safety, exclusive to our platform.