AI Threat Alert

CVE-2025-14279

GHSA-pgqp-8h46-6x4j HIGH
Published January 12, 2026
CISO Take

Any team running MLFlow ≤ 3.4.0 is exposed to DNS rebinding attacks that allow attacker-controlled web pages to silently query, modify, or delete ML experiments via the local REST API without authentication. Patch to 3.5.0 immediately—this is a one-line pip upgrade. If patching is blocked, bind MLFlow to localhost only and deploy a reverse proxy with Origin header enforcement in front of it.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip < 3.5.0 3.5.0

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
8.1 / 10
EPSS
0.0%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
Moderate

Recommended Action

  1. 1. PATCH: Upgrade to MLFlow 3.5.0 immediately (`pip install --upgrade mlflow`). 2. NETWORK: Bind MLFlow server to localhost only (`mlflow server --host 127.0.0.1`) and enforce firewall rules blocking external access to the tracking port. 3. PROXY: If a shared MLFlow server is required, place nginx or traefik in front with explicit Origin header allowlist. 4. DETECT: Audit MLFlow access logs for unexpected experiment deletions, bulk parameter queries, or access from unfamiliar source IPs in the past 90 days. 5. SECRETS HYGIENE: Audit experiment parameters and tags for embedded API keys, credentials, or dataset access tokens—rotate any found. 6. LONG-TERM: Enable MLFlow's built-in authentication and enforce network-level access controls as baseline MLOps hygiene.

Classification

Auth Bypass Data Extraction Data Leakage Framework API AML.T0025 AML.T0035 AML.T0036 AML.T0049 AML.T0078

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System for High-Risk AI Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system security requirements A.6.2.5 - AI System Access and Use Controls A.8.3 - Security of AI System Development and Maintenance
NIST AI RMF
GOVERN 6.1 - Policies for AI risk and security are established and maintained MANAGE 2.2 - Mechanisms are in place to sustain the value and integrity of deployed AI systems MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure LLM06:2025 - Sensitive Information Disclosure

Technical Details

NVD Description

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.

Exploitation Scenario

An attacker registers a domain (e.g., mlops-toolkit-update.com) and hosts malicious JavaScript. They send a targeted phishing email to a data scientist on the victim team. The scientist visits the page while their local MLFlow tracking server runs on the default localhost:5000. The attacker's DNS server rotates the domain's A record to 127.0.0.1 after initial connection—classic DNS rebinding. The malicious JavaScript now issues `fetch()` calls to `http://mlops-toolkit-update.com:5000/api/2.0/mlflow/experiments/list`, which the browser permits because the origin appears to match. The script silently exfiltrates all experiment metadata, run parameters (including any embedded secrets), and artifact URIs, then optionally deletes experiments to destroy evidence. No authentication prompt is shown; the scientist notices nothing.

Weaknesses (CWE)

CWE-346 Primary CWE-346 Origin Validation Error Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

Timeline

Published
January 12, 2026
Last Modified
January 13, 2026
First Seen
January 12, 2026
Back to Threat Feed