Description
A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
Published: 2026-03-30
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

A path traversal flaw in mlflow’s “extract_archive_to_dir” function lacks validation of tar archive member paths. An attacker who can supply a crafted tar.gz file can cause the function to write files outside the intended directory, allowing overwriting of arbitrary files or escape from a sandbox. This can lead to privilege escalation or arbitrary code execution, compromising confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects the mlflow open‑source machine learning platform. All releases before version 3.7.0 are impacted; upgrades to 3.7.0 or later mitigate the issue.

Risk and Exploitability

The CVSS score of 9.6 indicates critical severity, yet the EPSS score is below 1 %, showing a low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector would involve remotely uploading a malicious tar.gz file to a mlflow instance that performs automatic extraction. If such uploads are possible, an attacker could overwrite critical files or elevate privileges. The risk remains high given the potential impact, even though the probability of exploitation appears low at present.

Generated by OpenCVE AI on March 31, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mlflow to version 3.7.0 or later, which includes proper validation of tar member paths.
  • If upgrading immediately is not feasible, restrict or sanitize any user‑supplied tar.gz archives to guarantee that extraction remains confined within the intended directory and verify that no forbidden paths are present.
  • Review existing extracted artifacts and system files for signs of unauthorized modifications to ensure no compromise has already occurred.

Generated by OpenCVE AI on March 31, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vhcx-3pq2-4fvc MLFlow path traversal vulnerability
History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Mon, 30 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
Title Path Traversal Vulnerability in mlflow/mlflow
Weaknesses CWE-29
References
Metrics cvssV3_0

{'score': 9.6, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-03-31T03:55:39.134Z

Reserved: 2025-12-23T01:57:43.568Z

Link: CVE-2025-15036

cve-icon Vulnrichment

Updated: 2026-03-30T14:01:09.340Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T02:16:14.413

Modified: 2026-03-30T13:26:07.647

Link: CVE-2025-15036

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-30T01:16:06Z

Links: CVE-2025-15036 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:19Z

Weaknesses