In mlflow/mlflow versions before 3.11.0, the functions get_or_create_nfs_tmp_dir() and _create_model_downloading_tmp_dir() create temporary directories with overly permissive access rights (0o777 and 0o770 respectively). These insecure permissions allow local attackers with access to the filesystem to modify model artifacts, including cloudpickle-serialized Python objects. When these tampered artifacts are deserialized using cloudpickle.load(), attackers can achieve arbitrary code execution. This vulnerability is especially relevant in environments using shared NFS mounts, such as Databricks, where NFS is enabled by default. The vulnerability is a continuation of the CWE-378 class addressed in CVE-2025-10279, which was only partially fixed previously. The CVSS v3.0 score is 7.0 (high severity), reflecting local attack vector with high impact on confidentiality, integrity, and availability.

Local attackers with access to the filesystem can exploit insecure temporary directory permissions to modify model artifacts. This can lead to arbitrary code execution upon deserialization of tampered artifacts, compromising system confidentiality, integrity, and availability. The vulnerability is particularly critical in shared NFS environments where multiple users have access to the same filesystem, increasing the risk of exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict local filesystem access to trusted users only, especially on shared NFS mounts. Avoid running mlflow versions prior to 3.11.0 in environments where untrusted users have local access. Monitor vendor channels for updates and apply official patches once released.