MLflow (Python) – Support, CVEs & Health

GHSA-3v79-q7ph-j75h CVSS_V3

MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution

Published: 2024-02-24 Fixed in: 2.10.0

GHSA-42h5-h8qh-vv9v CVSS_V3

MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem

Published: 2026-05-11 Fixed in: 3.10.0

GHSA-43c4-9qgj-x742 CVSS_V3

MLFlow unsafe deserialization

Published: 2024-06-04 No fix available

GHSA-46r5-x6jq-v8g6 CVSS_V3

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint

Published: 2026-04-07 Fixed in: 3.11.0rc0

GHSA-49m6-vrr9-2cqm CVSS_V3

MLflow Uncontrolled Resource Consumption vulnerability

Published: 2025-03-20 No fix available

GHSA-4qq5-mxxx-m6gg CVSS_V3

MLflow authentication requirement bypass can allow a user to arbitrarily create an account

Published: 2023-11-16 Fixed in: 2.8.0

GHSA-4rj2-9gcx-5qhx CVSS_V3

MLflow has Weak Password Requirements

Published: 2025-03-20 Fixed in: 2.19.0

GHSA-4rqf-8pfm-p36r CVSS_V3

MLflow has a Local File Read/Path Traversal in dbfs

Published: 2025-03-20 Fixed in: 2.17.0rc0

GHSA-4x5p-f36r-mxxr CVSS_V3

mlflow Creates of Temporary File in Directory with Insecure Permissions

Published: 2026-02-02 Fixed in: 3.4.0rc0

GHSA-554w-xh4j-8w64 CVSS_V3

Path traversal in MLflow

Published: 2023-12-15 Fixed in: 2.9.2

MLflow