CVE-2026-2614: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in mlflow mlflow/mlflow
A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.
AI Analysis
Technical Summary
This vulnerability exists in the _create_model_version() handler in mlflow/server/handlers.py. When a CreateModelVersion request includes the tag mlflow.prompt.is_prompt, source path validation is bypassed, allowing an attacker to specify an arbitrary local filesystem path as the model version source. Subsequently, the get_model_version_artifact_handler() serves files from this path without verifying the prompt status, enabling unauthorized file reading. The vulnerability affects mlflow versions 3.9.0 and earlier and is addressed in version 3.10.0.
Potential Impact
An unauthenticated remote attacker can read arbitrary files on the server hosting mlflow, resulting in a complete confidentiality compromise of potentially sensitive data stored on the filesystem. There is no impact on integrity or availability reported.
Mitigation Recommendations
Upgrade mlflow to version 3.10.0 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 3.10.0, applying this official fix is the recommended remediation. Patch status is not explicitly stated beyond this version update, so verify with the vendor advisory for any additional guidance.
CVE-2026-2614: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in mlflow mlflow/mlflow
Description
A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability exists in the _create_model_version() handler in mlflow/server/handlers.py. When a CreateModelVersion request includes the tag mlflow.prompt.is_prompt, source path validation is bypassed, allowing an attacker to specify an arbitrary local filesystem path as the model version source. Subsequently, the get_model_version_artifact_handler() serves files from this path without verifying the prompt status, enabling unauthorized file reading. The vulnerability affects mlflow versions 3.9.0 and earlier and is addressed in version 3.10.0.
Potential Impact
An unauthenticated remote attacker can read arbitrary files on the server hosting mlflow, resulting in a complete confidentiality compromise of potentially sensitive data stored on the filesystem. There is no impact on integrity or availability reported.
Mitigation Recommendations
Upgrade mlflow to version 3.10.0 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 3.10.0, applying this official fix is the recommended remediation. Patch status is not explicitly stated beyond this version update, so verify with the vendor advisory for any additional guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2026-02-17T06:46:27.686Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a022c38cbff5d86104f7cc3
Added to database: 5/11/2026, 7:21:28 PM
Last enriched: 5/11/2026, 7:36:56 PM
Last updated: 5/12/2026, 3:48:52 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.