CVEFinder.io

CVE-2026-4137

⚠ī¸ high
🔍 Scan for this CVE
Summary

In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution

Description

In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.

CVSS Score
7.8
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-18
First Seen: 2026-05-19
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.6% of all 326,604 vulnerabilities in our database.

#99,150
Above average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: May 19, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2026-06-02
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-378

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
lfprojects mlflow Affected
< 3.11.0

🔗 References 2

https://github.com/mlflow/mlflow/commit/1dcbb0c2fbd1...
Patch
https://huntr.com/bounties/648dc30b-76c7-4433-86b8-f...
Exploit Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-10803 ℹī¸ low 3.6 0.0 A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflo... 2026-06-04
CVE-2026-4035 ⚠ī¸ high 7.7 0.1 A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gatew... 2026-06-03
CVE-2026-3198 đŸ”ļ medium 6.5 0.0 MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'l... 2026-06-02
CVE-2026-2651 ⛔ critical 9.0 0.1 A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the... 2026-05-25
CVE-2026-2734 đŸ”ļ medium 6.5 0.0 In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` G... 2026-05-21
CVE-2026-2611 ⛔ critical 9.6 0.0 In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. ... 2026-05-19
These CVEs affect the same products