CRITICAL 9.0

GHSA-8c7q-86fq-vvmh

MLflow allows unauthorized access to multipart upload endpoints when the `--serve-artifacts` mode is enabled

Details

A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mlflow

Introduced in: 0 Fixed in: 3.11.0rc1

Fix pip install --upgrade 'mlflow>=3.11.0rc1'

References

https://nvd.nist.gov/vuln/detail/CVE-2026-2651 [ADVISORY]
https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f [WEB]
https://access.redhat.com/security/cve/CVE-2026-2651 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=2481117 [WEB]
https://github.com/mlflow/mlflow [PACKAGE]
https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc [WEB]
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2651.json [WEB]