CVE-2026-2614
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A vulnerability in the _create_model_version() handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag mlflow.prompt.is_prompt, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The get_model_version_artifact_handler() function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mlflow | mlflow/mlflow | unspecified < 3.10.0 | affected |
Weaknesses
- CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
mlflow: mlflow: Arbitrary file read via bypassed source path validation
Additional References
- https://access.redhat.com/security/cve/CVE-2026-2614
- https://bugzilla.redhat.com/show_bug.cgi?id=2469309
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2614.json
- https://access.redhat.com/errata/RHSA-2026:34456
References
- https://huntr.com/bounties/19380271-3fbf-4beb-987e-6fd7069c55e6
- https://github.com/mlflow/mlflow/commit/6e801f4259d96804c73107315b24cef0f6aa115a
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.