AI Threat Alert

MLflow Vulnerabilities

pip MLOps
81
Risk Score
68
Total CVEs
16
Critical
pip
Ecosystem
May 19, 2026
Last CVE
26%
Patch Rate
58d
Avg Time to Patch
25,968 stars 5,741 forks 2,088 issues 636 dependents Last push May 17, 2026
View on GitHub
OpenSSF Scorecard 4.6/10

Known Vulnerabilities (68 total, page 2 of 3)

Severity CVE ID Summary CVSS Published
HIGH CVE-2024-8859 MLflow: path traversal allows arbitrary file read via DBFS 7.5 Mar 20, 2025 MEDIUM CVE-2024-6838 MLflow: unconstrained input causes UI denial of service 5.3 Mar 20, 2025 HIGH CVE-2024-27134 MLflow: local privilege escalation via spark_udf ToCToU 7.0 Nov 25, 2024 MEDIUM CVE-2024-3099 MLflow: URL encoding bypass enables model poisoning 5.4 Jun 6, 2024 HIGH CVE-2024-2928 MLflow: URI fragment LFI exposes arbitrary files 7.5 Jun 6, 2024 HIGH CVE-2024-0520 MLflow: path traversal enables RCE via dataset loading 8.8 Jun 6, 2024 HIGH CVE-2024-37061 MLflow: RCE via malicious MLproject file execution 8.8 Jun 4, 2024 HIGH CVE-2024-37060 MLflow: RCE via deserialization in crafted Recipes 8.8 Jun 4, 2024 HIGH CVE-2024-37059 MLflow: RCE via malicious PyTorch model deserialization 8.8 Jun 4, 2024 HIGH CVE-2024-37058 MLflow: RCE via malicious LangChain model deserialization 8.8 Jun 4, 2024 HIGH CVE-2024-37057 MLflow: RCE via malicious TensorFlow model deserialization 8.8 Jun 4, 2024 HIGH CVE-2024-37056 MLflow: RCE via LightGBM model deserialization 8.8 Jun 4, 2024 HIGH CVE-2024-37055 MLflow: RCE via pmdarima model deserialization 8.8 Jun 4, 2024 HIGH CVE-2024-37054 MLflow: deserialization RCE via malicious PyFunc model 8.8 Jun 4, 2024 HIGH CVE-2024-37053 MLflow: RCE via malicious scikit-learn model deserialization 8.8 Jun 4, 2024 HIGH CVE-2024-37052 MLflow: RCE via malicious scikit-learn model upload 8.8 Jun 4, 2024 MEDIUM CVE-2024-4263 MLflow: broken access control allows artifact deletion 5.4 May 16, 2024 HIGH CVE-2024-3848 MLflow: URL fragment bypass leaks SSH and cloud keys 7.5 May 16, 2024 CRITICAL CVE-2024-3573 MLflow: LFI via URI parsing allows arbitrary file read 9.3 Apr 16, 2024 HIGH CVE-2024-1594 MLflow: path traversal via URI fragment reads arbitrary files 7.5 Apr 16, 2024 HIGH CVE-2024-1593 MLflow: path traversal via ';' smuggling exposes files 7.5 Apr 16, 2024 HIGH CVE-2024-1560 MLflow: path traversal allows arbitrary directory deletion 8.1 Apr 16, 2024 HIGH CVE-2024-1558 MLflow: path traversal enables arbitrary file read 7.5 Apr 16, 2024 HIGH CVE-2024-1483 MLflow: path traversal exposes arbitrary server files 7.5 Apr 16, 2024 CRITICAL CVE-2024-27133 MLflow: XSS in recipe runner enables Jupyter RCE 9.6 Feb 23, 2024

Showing 26–50 of 68

← Previous Next →

Monitor MLflow in your stack

Get instant alerts when new vulnerabilities affect MLflow. CISO analysis, ATLAS technique mappings, and compliance reports included.

Start Monitoring