PyPI: mlflow
CVE-2026-2614
Safety vulnerability ID: SFTY-20260511-88038
A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.
Overview
MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem
Advisory
MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260511-88038/CVE-2026-2614
- https://nvd.nist.gov/vuln/detail/CVE-2026-2614
- https://github.com/mlflow/mlflow/commit/6e801f4259d96804c73107315b24cef0f6aa115a
- https://huntr.com/bounties/19380271-3fbf-4beb-987e-6fd7069c55e6
- https://github.com/advisories/GHSA-42h5-h8qh-vv9v
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more