CVE-2026-2614: Arbitrary File Access in MLflow
Platform
python
Component
mlflow
Fixed in
3.10.0
CVE-2026-2614 describes an Arbitrary File Access vulnerability discovered in the mlflow/mlflow project. This flaw allows an unauthenticated attacker to read arbitrary files from the server's filesystem. The vulnerability impacts versions 3.9.0 and earlier of MLflow and is resolved in version 3.10.0.
Detect this CVE in your project
Upload your requirements.txt file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
An attacker exploiting this vulnerability can gain unauthorized access to sensitive files stored on the MLflow server. This could include configuration files, credentials, or even source code. The ability to read arbitrary files represents a significant data breach risk. While the vulnerability requires an unauthenticated attacker, the ease of exploitation makes it a high-priority concern. Successful exploitation could lead to the exposure of proprietary algorithms, training data, or other confidential information crucial to machine learning workflows. This vulnerability shares similarities with other file access bypasses where insufficient validation of user-supplied paths leads to unintended file disclosure.
Exploitation Context
CVE-2026-2614 was published on 2026-05-11. Its severity is rated HIGH with a CVSS score of 7.5. There is currently no indication of this vulnerability being actively exploited in the wild. No public Proof-of-Concept (PoC) exploits have been published. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or has an EPSS score, suggesting a low to medium probability of exploitation.
Threat Intelligence
Exploit Status
EPSS
0.04% (12% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- None — no integrity impact. Attacker cannot modify data.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-2614 is to upgrade MLflow to version 3.10.0 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing a temporary workaround by restricting access to the createmodelversion() handler. This can be achieved through network segmentation or access control lists (ACLs) to limit access to authorized users only. Additionally, monitor MLflow server logs for any suspicious activity related to file access requests, particularly those involving the mlflow.prompt.isprompt tag. After upgrading, confirm the fix by attempting to create a model version with a malicious mlflow.prompt.is_prompt tag and verifying that the server denies the request and does not serve arbitrary files.
How to fix
Actualice a la versión 3.10.0 o posterior para mitigar la vulnerabilidad. Esta versión corrige el problema de validación de la fuente al leer archivos, evitando la lectura arbitraria de archivos del sistema.
Frequently asked questions
What is CVE-2026-2614 — Arbitrary File Access in MLflow?
CVE-2026-2614 is a HIGH severity vulnerability in MLflow versions 0.0.0–3.10.0 that allows an unauthenticated attacker to read arbitrary files from the server's filesystem by exploiting a flaw in the createmodel_version() handler.
Am I affected by CVE-2026-2614 in MLflow?
You are affected if you are using MLflow versions 3.9.0 or earlier. Upgrade to version 3.10.0 to resolve the vulnerability.
How do I fix CVE-2026-2614 in MLflow?
Upgrade MLflow to version 3.10.0 or later. As a temporary workaround, restrict access to the createmodel_version() handler.
Is CVE-2026-2614 being actively exploited?
There is currently no indication that CVE-2026-2614 is being actively exploited in the wild, and no public PoCs are available.
Where can I find the official MLflow advisory for CVE-2026-2614?
Refer to the MLflow project's security advisories and release notes for the official advisory regarding CVE-2026-2614: [https://mlflow.org/docs/latest/security.html](https://mlflow.org/docs/latest/security.html)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your requirements.txt file and we'll tell you instantly if you're affected.
Scan your Python project now — no account
Upload your requirements.txt and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...