Description
A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.
Published: 2026-05-25
Score: 9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the authorization layer of MLflow enables an attacker to reach the multipart upload endpoints at /mlflow-artifacts/mpu/* without performing a resource‑level permission check. With the --serve-artifacts option enabled, this permits the attacker to overwrite artifacts that belong to other users, creating a path for model supply‑chain poisoning and potentially arbitrary code execution when compromised models are loaded. The weakness is a classic missing access control (CWE‑862).

Affected Systems

The vulnerability exists in all MLflow releases up to and including 3.10.1.dev0 from the mlflow:mlflow/mlflow product line. The issue was addressed and fixed starting with version 3.10.0, although the precise resolution target is the point release 3.10.0. Users should verify that their installations have migrated to a fixed version before experience the validated fix.

Risk and Exploitability

The CVSS score of 9 indicates a high‑severity risk, while the EPSS score is not available and the vulnerability is not catalogued in the CISA KEV list. Attackers can exploit the flaw over the network by sending crafted HTTP requests to the exposed MPU endpoints when the server is running in --serve-artifacts mode. The attack requires no additional local privileges, making it a straightforward remote exploitation scenario.

Generated by OpenCVE AI on May 25, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MLflow to version 3.10.0 or later to obtain the authorization fix
  • If upgrading immediately is not feasible, disable the --serve-artifacts mode to remove exposed MPU endpoints
  • Implement additional access controls or network segmentation to restrict who can reach the /mlflow-artifacts/mpu/ endpoints

Generated by OpenCVE AI on May 25, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Mon, 25 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.
Title Missing Authorization Validation in mlflow/mlflow
Weaknesses CWE-862
References
Metrics cvssV3_0

{'score': 9, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-05-25T06:00:34.002Z

Reserved: 2026-02-18T01:33:23.276Z

Link: CVE-2026-2651

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T07:30:19Z

Weaknesses