MLflow version 2 is affected by a High-severity vulnerability that could allow attackers to compromise machine learning experiments and data.

This vulnerability affects MLflow, an open-source platform for the machine learning lifecycle. With a CVSS score of 7.0, the flaw likely involves insecure deserialization, path traversal, or improper access control within the MLflow tracking server or UI.

The compromise of an MLflow instance can lead to the loss or corruption of machine learning models, training parameters, and sensitive datasets. This impacts the integrity of AI-driven decision-making and can result in significant intellectual property theft.

Immediate Action: Update MLflow to the latest patched version immediately to address the identified security flaw.

Proactive Monitoring: Audit the MLflow tracking server for unauthorized experiment creation or unexpected modifications to existing model artifacts.

Compensating Controls: Deploy MLflow behind an authentication proxy (like Nginx with OIDC) to ensure that only authorized users can interact with the API and UI.

Public Exploit Available: false

Organizations relying on MLflow for their AI workflows must prioritize this update. Applying the latest patch is essential to maintaining the confidentiality and integrity of the machine learning research and deployment pipeline.