HIGH SeverityCVSS 3.07.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2026-2614

Last updated May 11, 2026 · Published May 11, 2026

Description

A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.

Affected products

1 listed

mlflow:mlflow/mlflow

Mappings

CWE

CWE-22

CAPEC

None listed.

Research

Path traversal: how to detect and prevent itPath traversal lets attackers read or write files outside intended directories. Normalise paths, resolve them…

Training

Secure File HandlingUploads, storage, and serving files without opening the door to attackers.

CVE-2026-2614

Description

Affected products

Mappings

Related