CVE-2026-2614 Overview
CVE-2026-2614 is a path traversal vulnerability [CWE-22] in the _create_model_version() handler of mlflow/server/handlers.py in MLflow versions 3.9.0 and earlier. An unauthenticated remote attacker can read arbitrary files from the server's filesystem by submitting a CreateModelVersion request that includes the mlflow.prompt.is_prompt tag. The tag bypasses source path validation, allowing the attacker to store an arbitrary local filesystem path as the model version source. The get_model_version_artifact_handler() function later serves files from that path without verifying the prompt status. The issue is fixed in MLflow version 3.10.0.
Critical Impact
Unauthenticated remote attackers can read arbitrary files such as /etc/passwd, application secrets, and model artifacts from the MLflow server filesystem, resulting in a complete confidentiality compromise.
Affected Products
- MLflow versions 3.9.0 and earlier
- MLflow Model Registry (_create_model_version() handler)
- MLflow Tracking Server exposing the REST API
Discovery Timeline
- 2026-05-11 - CVE-2026-2614 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-2614
Vulnerability Analysis
The vulnerability resides in MLflow's Model Registry REST API. When the server receives a CreateModelVersion request, the _create_model_version() handler in mlflow/server/handlers.py decides whether to validate the supplied source path. The handler treats requests carrying the mlflow.prompt.is_prompt tag as prompt registrations and skips source validation entirely. This allows an attacker to register a model version whose source field points to an arbitrary local path on the server, such as /etc/passwd or a directory containing secrets.
The second half of the exploit relies on get_model_version_artifact_handler(). That function fetches and returns artifacts from the stored source location without re-checking the prompt status. As a result, the attacker can request artifact content from the previously registered model version and the server reads and returns the file from the local filesystem. The flaw is classified as a path traversal weakness [CWE-22].
Root Cause
The root cause is an inverted trust assumption. The code excluded prompt-flagged requests from the existing source path validation, presuming prompts could never reference local filesystem paths. The artifact serving handler did not enforce a corresponding restriction, so any caller who could create a prompt-tagged model version could later retrieve files from its declared source path.
Attack Vector
The attack is performed over the network against an exposed MLflow tracking server. No authentication or user interaction is required. The attacker issues two REST API calls: one to CreateModelVersion with the mlflow.prompt.is_prompt tag and a source set to a local path, then a follow-up artifact request that returns the file contents.
error_code=INVALID_PARAMETER_VALUE,
)
- # If the model version is a prompt, we don't validate the source
is_prompt = _is_prompt_request(request_message)
- if not is_prompt:
+ if is_prompt:
+ # Prompt sources must not point to local filesystem paths.
+ # Block file:// URIs and absolute paths (e.g. /etc/passwd) but allow
+ # the legitimate schemeless placeholder sources used internally
+ # (e.g. "prompt-template", "dummy-source").
+ source = request_message.source
+ parsed = urllib.parse.urlparse(source)
+ if parsed.scheme == "file" or (parsed.scheme == "" and source.startswith("/")):
+ raise MlflowException(
+ f"Invalid prompt source: '{source}'. "
+ "Local source paths are not allowed for prompts.",
+ INVALID_PARAMETER_VALUE,
+ )
+ # Only validate traversal for sources with a URL scheme (http, https, etc.)
+ if parsed.scheme:
+ _validate_non_local_source_contains_relative_paths(source)
+ else:
if request_message.model_id:
_validate_source_model(request_message.source, request_message.model_id)
else:
Source: GitHub Commit 6e801f4. The patch reverses the validation logic so prompt requests are explicitly inspected, rejecting file:// URIs and absolute filesystem paths while still permitting internal placeholder sources.
Detection Methods for CVE-2026-2614
Indicators of Compromise
- CreateModelVersion API calls containing the tag key mlflow.prompt.is_prompt combined with a source value that is an absolute path or a file:// URI.
- Subsequent GET requests to get-artifact or model-versions/get-artifact endpoints referencing the same model version returning the contents of system files.
- Model registry entries whose source field points to local paths such as /etc/passwd, /root/.ssh/, or application configuration directories.
Detection Strategies
- Inspect MLflow server access logs for POST requests to /api/2.0/mlflow/model-versions/create that include the mlflow.prompt.is_prompt tag and a non-URL source.
- Correlate prompt-tagged model version creations with subsequent artifact retrieval calls returning unusually large or sensitive file content.
- Alert on any MLflow API request originating from unauthenticated or unexpected network sources, given the service should not be exposed without authentication.
Monitoring Recommendations
- Forward MLflow application and reverse-proxy logs to a centralized logging or SIEM platform and retain them for retroactive hunting.
- Establish baseline metrics for model version creation and artifact retrieval volume, and alert on deviations.
- Monitor outbound and internal access to the MLflow service for clients that bypass corporate authentication gateways.
How to Mitigate CVE-2026-2614
Immediate Actions Required
- Upgrade MLflow to version 3.10.0 or later, which contains the fix in _create_model_version().
- Restrict network access to the MLflow tracking server so it is reachable only from trusted networks or through an authenticating reverse proxy.
- Audit the model registry for existing model versions whose source field references local filesystem paths and remove suspicious entries.
Patch Information
The vulnerability is resolved in MLflow 3.10.0. The fix is implemented in commit 6e801f4, which adds explicit validation for prompt-tagged requests, rejecting file:// URIs and absolute filesystem paths. Additional context is available in the Huntr Bug Bounty Report.
Workarounds
- Place MLflow behind an authenticating reverse proxy such as nginx with basic auth or OAuth2 proxy to block unauthenticated API calls.
- Apply network ACLs or service mesh policies that limit CreateModelVersion requests to known internal clients.
- Run the MLflow process under a low-privilege account that has no read access to sensitive files such as /etc/shadow or application secrets.
# Upgrade MLflow to the patched release
pip install --upgrade 'mlflow>=3.10.0'
# Verify the installed version
python -c "import mlflow; print(mlflow.__version__)"
# Example nginx snippet enforcing authentication on the tracking server
# location / {
# auth_basic "MLflow";
# auth_basic_user_file /etc/nginx/.htpasswd;
# proxy_pass http://127.0.0.1:5000;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
