CVE-2026-2651
9
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Summary
A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the --serve-artifacts mode is enabled. The authorization logic does not enforce resource-level permission checks for /mlflow-artifacts/mpu/* endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mlflow | mlflow/mlflow | unspecified < 3.10.0 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
github.com/mlflow/mlflow: MLflow: Arbitrary code execution via unauthorized multipart upload access
Additional References
- https://access.redhat.com/security/cve/CVE-2026-2651
- https://bugzilla.redhat.com/show_bug.cgi?id=2481117
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2651.json
References
- https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc
- https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.