MLflow Arbitrary File Read Vulnerability Bypasses Path Validation
The National Vulnerability Database has disclosed CVE-2026-2614, a high-severity vulnerability (CVSS 7.5) in MLflow versions up to 3.9.0. This flaw allows an unauthenticated remote attacker to read arbitrary files from the server’s filesystem. The root cause lies in the _create_model_version() handler in mlflow/server/handlers.py.
The vulnerability is triggered when a CreateModelVersion request includes the mlflow.prompt.is_prompt tag. This tag effectively bypasses crucial source path validation, allowing an attacker to store an arbitrary local filesystem path as the model version source. Subsequently, the get_model_version_artifact_handler() function uses this compromised source to serve files without re-verifying the model version’s prompt status, leading to a complete confidentiality compromise.
This is a classic CWE-22 Path Traversal scenario, but with a specific bypass mechanism that makes it particularly insidious. Attackers can leverage this to exfiltrate sensitive configuration files, source code, or even credential files from MLflow servers. Defenders need to understand that this isn’t just a theoretical flaw; it’s a direct path to data exfiltration without authentication.
What This Means For You
- If your organization uses MLflow, you need to determine your version immediately. This arbitrary file read is a direct path to data exfiltration. Attackers will use this to grab configuration files, source code, and anything else they can access. Upgrade to MLflow version 3.10.0 or later RIGHT NOW to patch CVE-2026-2614. If you can't patch, restrict network access to your MLflow server.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-2614 - MLflow Arbitrary File Read via Malicious Tag
title: CVE-2026-2614 - MLflow Arbitrary File Read via Malicious Tag
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
Detects the specific API endpoint and query parameter used in the MLflow arbitrary file read vulnerability (CVE-2026-2614). An attacker can exploit this by sending a POST request to the model-versions/create endpoint with the 'mlflow.prompt.is_prompt' tag to bypass path validation and read arbitrary files.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-2614/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/2.0/mlflow/model-versions/create'
cs-method:
- 'POST'
cs-uri-query|contains:
- 'mlflow.prompt.is_prompt'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-2614 | Information Disclosure | mlflow/mlflow versions 3.9.0 and earlier |
| CVE-2026-2614 | Path Traversal | Vulnerable handler: `_create_model_version()` in `mlflow/server/handlers.py` |
| CVE-2026-2614 | Path Traversal | Attack vector: `CreateModelVersion` request with tag `mlflow.prompt.is_prompt` |
| CVE-2026-2614 | Information Disclosure | Vulnerable function: `get_model_version_artifact_handler()` |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 23:25 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-43874: WWBN AVideo WebSocket Vulnerability Allows RCE
CVE-2026-43874 — WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval...
Pi-hole Privilege Escalation via Systemd Scripts (CVE-2026-41489)
CVE-2026-41489 — Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and...
CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability
CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....