AI Threat Alert
ATLAS Landscape
AML.T0035
AI Artifact Collection
Adversaries may collect AI artifacts for [Exfiltration](/tactics/AML.TA0010) or for use in [AI Attack Staging](/tactics/AML.TA0001). AI artifacts include models and datasets as well as other telemetry data produced when interacting with a model.
99 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2024-2912 | BentoML: RCE via insecure deserialization (CVSS 10) | 10.0 | |
| CRITICAL | CVE-2023-3765 | MLflow: path traversal allows arbitrary file read | mlflow | 10.0 |
| CRITICAL | CVE-2024-41118 | streamlit-geospatial: blind SSRF via WMS URL input | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-52803 | LlamaFactory: RCE via OS command injection in training | llamafactory | 9.8 |
| CRITICAL | CVE-2024-41115 | streamlit-geospatial: eval() injection enables RCE | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2026-2635 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| CRITICAL | CVE-2023-1177 | MLflow: path traversal allows arbitrary file read/write | mlflow | 9.8 |
| CRITICAL | CVE-2026-25960 | vllm: SSRF allows internal network access | vllm | 9.8 |
| CRITICAL | CVE-2023-25668 | TensorFlow: unauthenticated RCE via heap buffer overflow | tensorflow | 9.8 |
| CRITICAL | CVE-2025-11201 | mlflow: Path Traversal enables file access | mlflow | 9.8 |
| CRITICAL | CVE-2025-11200 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| CRITICAL | CVE-2023-2780 | MLflow: path traversal allows arbitrary file read/write | mlflow | 9.8 |
| CRITICAL | CVE-2025-63389 | ollama: Missing Auth allows unauthenticated access | ollama | 9.8 |
| CRITICAL | CVE-2025-45150 | ChatGLM-Webui: arbitrary file read, no auth required | langchain-chatglm-webui | 9.8 |
| CRITICAL | CVE-2023-6014 | MLflow: auth bypass allows arbitrary account creation | mlflow | 9.8 |
| CRITICAL | CVE-2025-53002 | LLaMA-Factory: RCE via unsafe checkpoint deserialization | llamafactory | 9.8 |
| CRITICAL | CVE-2023-48022 | Ray: unauthenticated RCE via job submission API | ray | 9.8 |
| CRITICAL | CVE-2024-2057 | LangChain TFIDFRetriever: SSRF/RCE via load_local | langchain | 9.8 |
| CRITICAL | CVE-2025-15036 | MLflow: path traversal enables sandbox escape, file overwrite | mlflow | 9.6 |
| CRITICAL | CVE-2024-3573 | MLflow: LFI via URI parsing allows arbitrary file read | mlflow | 9.3 |
| CRITICAL | CVE-2023-6021 | Ray: LFI allows unauthenticated file read | ray | 9.3 |
| CRITICAL | CVE-2023-6020 | Ray: unauthenticated LFI exposes entire filesystem | ray | 9.3 |
| CRITICAL | CVE-2024-47871 | Gradio: cleartext MITM exposes ML demo data via share=True | gradio | 9.1 |
| CRITICAL | CVE-2023-34239 | Gradio: path traversal + SSRF exposes model files & infra | gradio | 9.1 |
| CRITICAL | CVE-2025-29783 | vLLM: RCE via unsafe deserialization in Mooncake KV | vllm | 9.0 |
| HIGH | CVE-2023-6709 | MLflow: SSTI enables RCE in ML experiment tracking | mlflow | 8.8 |
| HIGH | CVE-2023-6753 | MLflow: path traversal exposes arbitrary file read/write | mlflow | 8.8 |
| HIGH | CVE-2026-33175 | oauthenticator: auth bypass enables JupyterHub account takeover | 8.8 | |
| HIGH | CVE-2025-33213 | NVIDIA: Deserialization enables RCE | 8.8 | |
| HIGH | CVE-2024-0520 | MLflow: path traversal enables RCE via dataset loading | mlflow | 8.8 |
| HIGH | CVE-2025-15381 | MLflow: broken access control exposes experiment traces | mlflow | 8.1 |
| HIGH | CVE-2024-47870 | Gradio: race condition enables backend URL hijacking | gradio | 8.1 |
| HIGH | CVE-2026-25750 | langsmith: security flaw enables exploitation | langsmith | 8.1 |
| HIGH | CVE-2026-2033 | mlflow: Path Traversal enables file access | mlflow | 8.1 |
| HIGH | CVE-2025-61784 | LLaMA-Factory: SSRF+LFI in multimodal chat API | llamafactory | 8.1 |
| HIGH | CVE-2025-14279 | mlflow: security flaw enables exploitation | mlflow | 8.1 |
| HIGH | CVE-2023-6572 | Gradio: command injection enables RCE on ML servers | gradio | 8.1 |
| HIGH | CVE-2024-7043 | Open WebUI: auth bypass exposes all user files | open-webui | 8.1 |
| HIGH | CVE-2021-37648 | TensorFlow SaveV2: null ptr deref, local crash/RCE | tensorflow | 7.8 |
| HIGH | CVE-2024-14021 | llamaindex: Deserialization enables RCE | llamaindex | 7.8 |
| HIGH | CVE-2025-23298 | Merlin Transformers4Rec: code injection via Python dep | 7.8 | |
| HIGH | CVE-2024-34072 | SageMaker SDK: pickle deserialization enables RCE | 7.8 | |
| HIGH | CVE-2023-25801 | TensorFlow: double-free in pooling ops enables RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-37639 | TensorFlow: heap OOB read via tensor restore API | tensorflow | 7.8 |
| HIGH | CVE-2021-29566 | TensorFlow: heap OOB write in Dilation2D training op | tensorflow | 7.8 |
| HIGH | CVE-2021-29520 | TensorFlow: heap buffer overflow in Conv3DBackprop ops | tensorflow | 7.8 |
| HIGH | CVE-2026-22219 | chainlit: SSRF allows internal network access | chainlit | 7.7 |
| HIGH | CVE-2021-43831 | Gradio: path traversal exposes host filesystem to users | gradio | 7.7 |
| HIGH | CVE-2024-1593 | MLflow: path traversal via ';' smuggling exposes files | mlflow | 7.5 |
| HIGH | CVE-2026-33484 | langflow: Access Control bypass enables privilege escalation | langflow | 7.5 |
| HIGH | CVE-2024-4941 | Gradio: LFI via JSON path key exposes server files | gradio | 7.5 |
| HIGH | CVE-2024-1594 | MLflow: path traversal via URI fragment reads arbitrary files | mlflow | 7.5 |
| HIGH | CVE-2024-47868 | Gradio: path traversal leaks arbitrary server files | gradio | 7.5 |
| HIGH | CVE-2024-1558 | MLflow: path traversal enables arbitrary file read | mlflow | 7.5 |
| HIGH | CVE-2024-1483 | MLflow: path traversal exposes arbitrary server files | mlflow | 7.5 |
| HIGH | CVE-2024-1728 | Gradio: path traversal leaks arbitrary files, potential RCE | gradio | 7.5 |
| HIGH | CVE-2024-8859 | MLflow: path traversal allows arbitrary file read via DBFS | mlflow | 7.5 |
| HIGH | CVE-2023-51449 | Gradio: path traversal grants arbitrary file read | gradio | 7.5 |
| HIGH | CVE-2023-6909 | MLflow: path traversal exposes arbitrary files (no auth) | mlflow | 7.5 |
| HIGH | CVE-2023-43472 | MLflow: unauth REST API leaks sensitive ML data | mlflow | 7.5 |
| HIGH | CVE-2026-28414 | gradio: security flaw enables exploitation | gradio | 7.5 |
| HIGH | CVE-2023-46315 | Infinite Image Browsing: path traversal leaks credentials | 7.5 | |
| HIGH | CVE-2026-4503 | Langflow Desktop: IDOR leaks user images unauthenticated | langflow | 7.5 |
| HIGH | CVE-2023-30172 | MLflow: path traversal exposes arbitrary server files | mlflow | 7.5 |
| HIGH | CVE-2023-2356 | MLflow: path traversal allows unauthenticated file read | mlflow | 7.5 |
| HIGH | CVE-2024-2928 | MLflow: URI fragment LFI exposes arbitrary files | mlflow | 7.5 |
| HIGH | CVE-2025-7647 | llama-index-core: insecure /tmp dir, model theft risk | llama-index-core | 7.3 |
| HIGH | CVE-2026-35397 | Jupyter Server: path traversal leaks sibling directories | jupyter-server | 7.1 |
| HIGH | CVE-2024-21799 | Intel Extension for Transformers: path traversal privesc | 7.1 | |
| HIGH | CVE-2025-1473 | MLflow: CSRF in signup allows rogue account creation | mlflow | 7.1 |
| HIGH | CVE-2024-27134 | MLflow: local privilege escalation via spark_udf ToCToU | mlflow | 7.0 |
| MEDIUM | CVE-2023-30767 | Intel TF Opt: buffer overflow enables local privesc | optimization_for_tensorflow | 6.7 |
| MEDIUM | CVE-2025-51481 | Dagster: path traversal exposes arbitrary file read via gRPC | 6.6 | |
| MEDIUM | CVE-2022-35918 | Streamlit: path traversal leaks server filesystem | streamlit | 6.5 |
| MEDIUM | CVE-2024-47164 | Gradio: path traversal bypasses directory access controls | gradio | 6.5 |
| MEDIUM | CVE-2022-36551 | Label Studio: SSRF + file read, self-reg bypass | label-studio | 6.5 |
| MEDIUM | CVE-2026-6542 | Langflow: IDOR exposes cross-tenant flow data and deletion | langflow | 6.5 |
| MEDIUM | CVE-2025-1979 | Ray: Redis password exposed via plaintext logging | ray | 6.4 |
| MEDIUM | CVE-2026-27167 | gradio: Weak Credentials allow account compromise | gradio | 5.9 |
| MEDIUM | CVE-2025-52967 | MLflow: unauthenticated SSRF in gateway proxy | mlflow | 5.8 |
| MEDIUM | CVE-2021-37687 | TFLite: heap OOB read via negative indices in GatherNd | tensorflow | 5.5 |
| MEDIUM | CVE-2025-1474 | MLflow: passwordless accounts enable persistent backdoor | mlflow | 5.5 |
| MEDIUM | CVE-2024-4263 | MLflow: broken access control allows artifact deletion | mlflow | 5.4 |
| MEDIUM | CVE-2024-47166 | Gradio: path traversal leaks custom component source | gradio | 5.3 |
| MEDIUM | CVE-2026-4538 | AI component: Input Validation flaw enables exploitation | 5.3 | |
| MEDIUM | CVE-2024-0451 | wpbot: missing auth exposes OpenAI account files | wpbot | 5.0 |
| MEDIUM | CVE-2024-5206 | scikit-learn: TfidfVectorizer leaks training data tokens | scikit-learn | 4.7 |
| MEDIUM | CVE-2025-6854 | Langchain-Chatchat: path traversal in file API exposes host FS | langchain-chatchat | 4.3 |
| MEDIUM | CVE-2024-7045 | open-webui: missing authz exposes admin prompts | open-webui | 4.3 |
| LOW | CVE-2023-1176 | MLflow: path traversal exposes arbitrary local files | mlflow | 3.3 |
| UNKNOWN | CVE-2025-14921 | transformers: Deserialization enables RCE | transformers | — |
| CRITICAL | CVE-2025-34351 | ray: security flaw enables exploitation | ray | — |
| UNKNOWN | CVE-2018-7577 | TensorFlow: Snappy memcpy overlap crash/mem disclosure | tensorflow | — |
| HIGH | CVE-2026-40110 | Jupyter Server: CORS bypass via regex anchor omission | jupyter-server | — |
| CRITICAL | CVE-2025-32428 | jupyter-remote-desktop-proxy: VNC network exposure | jupyter-remote-desktop-proxy | — |
| HIGH | CVE-2026-22033 | label-studio: XSS enables session hijacking | label-studio | — |
| UNKNOWN | CVE-2024-1561 | Gradio: path traversal enables arbitrary file read | gradio | — |
| UNKNOWN | CVE-2024-12065 | LLaVA: path traversal allows arbitrary file read | — | |
| MEDIUM | CVE-2026-33866 | MLflow: auth bypass exposes model artifacts across experiments | mlflow | — |