CVE-2025-10279 — HIGH (CVSS 7.0) AI Security Vulnerability

CISO Take

MLflow's insecure /tmp directory permissions (0o777) during venv creation expose training pipelines to local code execution via race condition. Any shared compute environment — Jupyter hubs, multi-tenant GPU clusters, or containerized ML platforms without proper namespace isolation — is at risk. Patch to MLflow 3.4.0 immediately; if you can't patch today, restrict /tmp access with sticky bits and audit shared MLflow deployments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	< 3.4.0rc0	`3.4.0rc0`

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

7.0 / 10

EPSS

0.0%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Moderate

Recommended Action

1. PATCH: Upgrade MLflow to >= 3.4.0 — the fix applies secure permissions to temp directories during venv creation. 2. WORKAROUND (if immediate patch is not possible): Set sticky bit on /tmp (chmod +t /tmp) to prevent non-owners from deleting/overwriting others' files; use private temp directories via TMPDIR env var pointing to user-owned paths. 3. ISOLATE: Run MLflow training jobs in dedicated containers or VMs with non-shared /tmp filesystems — this eliminates the attack surface entirely. 4. DETECT: Monitor for unexpected writes to /tmp/*/.venv/ or /tmp/*/lib/python*/site-packages/ by processes other than mlflow; alert on mlflow process loading .py files from /tmp after a write by a different UID. 5. AUDIT: Inventory all MLflow deployments, especially shared Jupyter/Slurm environments with multiple user accounts.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0018.002 - Embed Malware AML.T0037 - Data from Local System AML.T0050 - Command and Scripting Interpreter

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article-15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI System Security A.6.2.6 - Secure AI system development and deployment A.8.3 - AI system operation and monitoring A.9.7 - Protection of AI System Assets

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for AI risk management GOVERN-6.1 - AI Risk Management Inventory and Policies MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and in place MANAGE-2.2 - Mechanisms for Identifying and Addressing AI Risks

OWASP LLM Top 10

LLM03 - Training Data Poisoning

Technical Details

NVD Description

In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0.

Exploitation Scenario

On a shared GPU cluster where 20 data scientists run MLflow experiments, an adversary with a low-privilege shell account monitors inotify events on /tmp watching for MLflow venv directory creation. When MLflow creates /tmp/mlflow-venv-XXXX/ with 0o777 permissions, the attacker has a brief window to overwrite a commonly imported .py file (e.g., site.py, importlib bootstrap) with a malicious payload before MLflow's Python interpreter executes it. The injected code runs in the MLflow process context, harvesting AWS/GCP credentials from environment variables, exfiltrating model artifacts from the registry, and optionally modifying model weights before they're logged — a silent supply chain attack on the ML pipeline that produces poisoned models deployed to production.

Weaknesses (CWE)

CWE-379 Primary CWE-379 Creation of Temporary File in Directory with Insecure Permissions Primary

CVSS Vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published

February 2, 2026

Last Modified

February 3, 2026

First Seen

February 2, 2026