Description
In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.
Published: 2026-05-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in mlflow stems from temporary directories created by get_or_create_nfs_tmp_dir and _create_model_downloading_tmp_dir being writable by all users (world‑writable 0o777) or by the group (0o770). This insecure permissions flaw (CWE‑378) allows a local attacker on systems that use shared NFS mounts such as Databricks to replace or modify model artifact files. When mlflow deserializes these artifacts with cloudpickle.load(), the injected code is executed with the privileges of the mlflow process, providing arbitrary code execution. The flaw is a continuation of the previously partially fixed vulnerability CVE‑2025‑10279 and remains unaddressed until the next major release.

Affected Systems

The affected product is the mlflow library. Any installation of mlflow with a version earlier than 3.11.0 is vulnerable, regardless of the operating system. The issue arises in the file utilities and pyfunc modules, so any code that imports these modules and passes model artifacts to cloudpickle through mlflow may be impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score of < 1% indicates a very low likelihood of exploitation, yet the vulnerability still exists. The vulnerability is not listed in CISA KEV. The likely attack vector requires a local attacker who can write to the shared NFS directory used by mlflow. By placing malicious files into that directory and then causing mlflow to load a model, the attacker can trigger arbitrary code execution. While exploitation needs local file‑system access, the potential impact is full control over any process that deserializes the tampered artifacts.

Generated by OpenCVE AI on June 3, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the mlflow library to version 3.11.0 or newer, which sets the correct permissions on temporary directories.
  • Configure the host to prevent world or group writable permissions on the directories where mlflow creates temporary files.
  • Audit the permissions after deployment to confirm correct settings.
  • Restrict write access to the shared NFS mount used by mlflow or segregate user directories so that untrusted local users cannot alter model artifacts.

Generated by OpenCVE AI on June 3, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f2m9-wcf4-cwwx MLFlow Creates a Temporary File With Insecure Permissions
History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 19 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 18 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Mon, 18 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.
Title Incomplete Fix for CVE-2025-10279: Insecure Temporary Directory Permissions in mlflow/mlflow
Weaknesses CWE-378
References
Metrics cvssV3_0

{'score': 7, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-05-19T12:47:53.221Z

Reserved: 2026-03-13T15:15:45.839Z

Link: CVE-2026-4137

cve-icon Vulnrichment

Updated: 2026-05-19T12:47:45.893Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-18T21:16:40.710

Modified: 2026-06-02T20:10:57.400

Link: CVE-2026-4137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T05:45:26Z

Weaknesses