CVE-2026-2651
Analyzed Analyzed - Analysis Complete

Unauthorized Artifact Overwrite in MLflow

Vulnerability report for CVE-2026-2651, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-25

Last updated on: 2026-06-27

Assigner: huntr.dev

Description

A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-25
Last Modified
2026-06-27
Generated
2026-07-06
AI Q&A
2026-05-26
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
lfprojects mlflow to 3.10.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1220 The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in MLflow versions up to 3.10.1.dev0 when the --serve-artifacts mode is enabled. It allows unauthorized access to multipart upload (MPU) endpoints because the authorization logic does not properly enforce resource-level permission checks for the /mlflow-artifacts/mpu/* endpoints.

As a result, attackers can overwrite artifacts that belong to other users.

This can lead to unauthorized cross-user writes, model supply chain poisoning, and even arbitrary code execution when compromised models are loaded.

The issue is fixed in version 3.10.0.

Impact Analysis

This vulnerability can have severe impacts including unauthorized overwriting of artifacts belonging to other users.

It can enable attackers to perform model supply chain poisoning, which means malicious models could be introduced into your system.

Additionally, it can lead to arbitrary code execution when compromised models are loaded, potentially allowing attackers to execute malicious code on your system.

Mitigation Strategies

To mitigate this vulnerability, upgrade MLflow to version 3.10.0 or later, where the issue is resolved.

Additionally, if you are using the `--serve-artifacts` mode, consider disabling it until the upgrade is applied to prevent unauthorized access to multipart upload endpoints.

Detection Guidance

This vulnerability can be detected by monitoring and testing access to the multipart upload (MPU) endpoints under the path /mlflow-artifacts/mpu/*. Specifically, you should check if unauthorized POST requests to these endpoints are allowed without proper authorization.

One way to detect this on your system is to attempt sending POST requests to the MPU endpoints and observe if the server enforces authorization checks.

  • Use curl to send a POST request to an MPU endpoint and check the response status code and message:
  • curl -X POST http://<mlflow-server>/mlflow-artifacts/mpu/<some-path> -v

If the server responds without proper authorization errors (e.g., 200 OK instead of 401 Unauthorized or 403 Forbidden), it indicates the vulnerability may be present.

  • Check server logs for unauthorized access attempts or unusual artifact overwrites related to MPU endpoints.

Additionally, reviewing the MLflow server version can help determine if the vulnerability is present, as versions <= 3.10.1.dev0 are affected.

Compliance Impact

This vulnerability allows unauthorized access and modification of artifacts belonging to other users, which can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution. Such unauthorized access and data manipulation can potentially violate data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA, which require strict access controls and data integrity safeguards.

Specifically, the lack of resource-level permission checks could result in unauthorized disclosure or alteration of sensitive data or models, undermining confidentiality, integrity, and availability principles critical to compliance frameworks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2651. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart