CVE-2026-4137: MLflow Temporary Files Vulnerability Exposes Models to RCE

/HIGH /CVSS 7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-378
CVE-2026-4137: MLflow Temporary Files Vulnerability Exposes Models to RCE

The National Vulnerability Database has detailed CVE-2026-4137, a critical vulnerability in MLflow versions prior to 3.11.0. The core issue lies in insecure temporary directory permissions. Specifically, get_or_create_nfs_tmp_dir() creates world-writable directories (0o777), and _create_model_downloading_tmp_dir() uses group-writable permissions (0o770).

This flaw allows local attackers to tamper with model artifacts, particularly cloudpickle-serialized Python objects. When these tampered artifacts are subsequently deserialized via cloudpickle.load(), it leads directly to arbitrary code execution. The National Vulnerability Database highlights that this is especially problematic in environments utilizing shared NFS mounts, such as Databricks, where NFS is often enabled by default. This vulnerability is a direct continuation and partial bypass of a previous fix for CVE-2025-10279.

With a CVSS score of 7 (HIGH), this isn’t just a theoretical concern. It’s a clear path for an insider threat or a compromised local account to inject malicious code into critical ML workflows. The attacker’s calculus here is simple: leverage weak permissions to achieve persistence or escalate privileges within the ML environment, potentially impacting data integrity and model trustworthiness.

What This Means For You

  • If your organization uses MLflow, especially in environments with shared NFS mounts like Databricks, you need to prioritize patching. This vulnerability (CVE-2026-4137) is a direct path to arbitrary code execution by tampering with model artifacts. Audit your MLflow deployments for versions prior to 3.11.0 immediately and ensure patches are applied. This isn't just about data; it's about the integrity and security of your entire ML pipeline.

Related ATT&CK Techniques

T1578.002 Modify System Defense Evasion T1059.001 PowerShell Execution T1204.002 Malicious File Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1578.002 Defense Evasion

CVE-2026-4137: MLflow Temporary Directory World-Writable Permissions

Sigma YAML — free preview 
title: CVE-2026-4137: MLflow Temporary Directory World-Writable Permissions
id: scw-2026-05-18-ai-1
status: experimental
level: high
description: |
  Detects the creation of world-writable temporary directories by MLflow (versions prior to 3.11.0) in paths commonly associated with model downloads or MLruns. This specific behavior, creating directories with 0o777 permissions, is a key indicator of the vulnerability CVE-2026-4137, allowing local attackers to tamper with model artifacts for RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-18
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-4137/
tags:
  - attack.defense_evasion
  - attack.t1578.002
logsource:
    category: file_event
detection:
  selection:
      TargetFilename|endswith:
          - '/mlflow_model_download'
      action: 'create_dir'
      User: 'root'
  selection_base:
      TargetFilename|contains:
          - '/tmp/'
      TargetFilename|contains:
          - '/mlruns/'
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-4137 RCE mlflow/mlflow versions prior to 3.11.0
CVE-2026-4137 Misconfiguration Insecure permissions (0o777) in mlflow/utils/file_utils.py::get_or_create_nfs_tmp_dir()
CVE-2026-4137 Misconfiguration Insecure permissions (0o770) in mlflow/pyfunc/__init__.py::_create_model_downloading_tmp_dir()
CVE-2026-4137 Deserialization Arbitrary code execution via cloudpickle.load() of tampered artifacts

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma