CVE-2026-4137: MLflow: insecure tmp dir perms enable model artifact RCE
GHSA-f2m9-wcf4-cwwx HIGH CISA: ATTENDMLflow before 3.11.0 creates model-download temp directories with world-writable (0o777) or group-writable (0o770) permissions, allowing any local user to swap out cloudpickle-serialized model artifacts before deserialization — yielding arbitrary code execution under the MLflow process. The blast radius is highest in Databricks and shared NFS environments where these paths span multiple users and workloads, and the exploitation primitive requires no special tooling beyond local filesystem access. This is a second pass at the same vulnerability class as CVE-2025-10279, meaning the original fix was incomplete and any attacker familiar with the prior CVE knows exactly where to look. No public exploit or KEV listing exists yet, but the attack is trivial once local access is established. Upgrade to MLflow 3.11.0 immediately and audit NFS-mounted tmp directories for world-writable paths (`find /tmp -type d -perm -o+w`) as an interim check.
What is the risk?
Despite a local attack vector, the risk profile is elevated for any organization running MLflow on shared infrastructure — particularly Databricks, where NFS is on by default and the vulnerable tmp paths are reachable across workspace users. The deserialization-to-RCE chain via cloudpickle is well-understood, reliable, and requires no AI/ML expertise to weaponize. The incomplete-fix lineage (bypassing CVE-2025-10279) signals that the root cause was not fully addressed upstream, raising the likelihood of further variants. Rate this HIGH in multi-tenant cloud ML environments, MEDIUM in single-user local development setups.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| MLflow | pip | < 3.11.0 | 3.11.0 |
Do you use MLflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Upgrade MLflow to 3.11.0 — commit 1dcbb0c2fbd1f446c328830e601ca13a28219b8a applies the fix.
-
On shared environments, enforce a restrictive umask (0022 or stricter) for all MLflow processes.
-
Audit NFS-mounted tmp directories:
find /tmp -type d -perm -o+w -ls— any world-writable directory reachable by MLflow is a risk surface. -
Restrict NFS mount permissions and enforce per-user tmp directory isolation at the OS or container level.
-
Monitor for unexpected file modifications in MLflow temp paths using inotify or equivalent.
-
If immediate upgrade is not possible, consider disabling NFS-backed tmp directories or restricting the MLflow process to a dedicated, non-shared user account.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-4137?
MLflow before 3.11.0 creates model-download temp directories with world-writable (0o777) or group-writable (0o770) permissions, allowing any local user to swap out cloudpickle-serialized model artifacts before deserialization — yielding arbitrary code execution under the MLflow process. The blast radius is highest in Databricks and shared NFS environments where these paths span multiple users and workloads, and the exploitation primitive requires no special tooling beyond local filesystem access. This is a second pass at the same vulnerability class as CVE-2025-10279, meaning the original fix was incomplete and any attacker familiar with the prior CVE knows exactly where to look. No public exploit or KEV listing exists yet, but the attack is trivial once local access is established. Upgrade to MLflow 3.11.0 immediately and audit NFS-mounted tmp directories for world-writable paths (`find /tmp -type d -perm -o+w`) as an interim check.
Is CVE-2026-4137 actively exploited?
No confirmed active exploitation of CVE-2026-4137 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-4137?
1. Upgrade MLflow to 3.11.0 — commit 1dcbb0c2fbd1f446c328830e601ca13a28219b8a applies the fix. 2. On shared environments, enforce a restrictive umask (0022 or stricter) for all MLflow processes. 3. Audit NFS-mounted tmp directories: `find /tmp -type d -perm -o+w -ls` — any world-writable directory reachable by MLflow is a risk surface. 4. Restrict NFS mount permissions and enforce per-user tmp directory isolation at the OS or container level. 5. Monitor for unexpected file modifications in MLflow temp paths using inotify or equivalent. 6. If immediate upgrade is not possible, consider disabling NFS-backed tmp directories or restricting the MLflow process to a dedicated, non-shared user account.
What systems are affected by CVE-2026-4137?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps CI/CD pipelines, shared NFS ML environments, ML experiment tracking.
What is the CVSS score for CVE-2026-4137?
CVE-2026-4137 has a CVSS v3.1 base score of 7.0 (HIGH). The EPSS exploitation probability is 0.19%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0018.002 Embed Malware AML.T0112.001 AI Artifacts Compliance Controls Affected
What are the technical details?
Original Advisory
In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.
Exploitation Scenario
An attacker with local access to a shared Databricks workspace watches the NFS-mounted tmp directory used by MLflow's model download code. When a legitimate user triggers a model load — such as a scheduled retraining job or a serving container restart — the attacker rapidly replaces the staged cloudpickle-serialized model artifact with a malicious payload before `cloudpickle.load()` is called. The victim's MLflow process deserializes the tampered file, executing the attacker's code with full access to the ML environment's credentials, datasets, and downstream systems. The race window is wide in environments where model downloads are slow over NFS, making reliable exploitation straightforward.
Weaknesses (CWE)
CWE-378 Creation of Temporary File With Insecure Permissions
Primary
CWE-378 Creation of Temporary File With Insecure Permissions
Primary
CWE-378 — Creation of Temporary File With Insecure Permissions: Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.
- [Requirements] Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.
- [Implementation] Ensure that you use proper file permissions. This can be achieved by using a safe temp file function. Temporary files should be writable and readable only by the process that owns the file.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2025-15379 10.0 MLflow: RCE via unsanitized model dependency specs
Same package: mlflow CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same package: mlflow CVE-2023-2780 9.8 MLflow: path traversal allows arbitrary file read/write
Same package: mlflow CVE-2023-1177 9.8 MLflow: path traversal allows arbitrary file read/write
Same package: mlflow CVE-2026-2635 9.8 mlflow: security flaw enables exploitation
Same package: mlflow