CVE-2026-4137
MLflow · MLflow
A security vulnerability affects MLflow versions prior to 3, potentially allowing for unauthorized interaction with the machine learning lifecycle management platform.
Executive summary
MLflow versions prior to 3 are subject to a security vulnerability that requires urgent attention to mitigate unauthorized access risks.
Vulnerability
The vulnerability affects versions of MLflow prior to 3. The specific nature of the flaw is currently undisclosed, necessitating a proactive approach to version management.
Business impact
With a CVSS score of 7.0, this vulnerability presents a High risk to the confidentiality and integrity of machine learning models and experiments. Successful exploitation could allow attackers to manipulate datasets or access sensitive intellectual property managed within the MLflow environment.
Remediation
Immediate Action: Upgrade all instances of MLflow to version 3 or the latest available patched release provided by the vendor.
Proactive Monitoring: Monitor API traffic and experiment logs for unusual patterns that may indicate unauthorized model manipulation or data exfiltration.
Compensating Controls: Ensure the MLflow server is not exposed to the public internet and require multi-factor authentication for all user access.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Security teams must prioritize upgrading to version 3 to remediate this vulnerability. Given the role of MLflow in data science pipelines, maintaining the integrity of the platform is critical to preventing downstream model poisoning or unauthorized data access.