External risk intelligence

MLflow Artifact Uploads Allow Unauthorized Cross-User Writes

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-2651

MLflow is frequently deployed as a centralized, web-based platform for managing machine learning lifecycles. When the --serve-artifacts mode is enabled, it acts as a network-accessible service to handle model artifacts, making it a common target for network-based interactions in collaborative data science environments.

Lfprojects Mlflow

3.10.1 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in MLflow, a platform used for managing machine learning lifecycles. When configured to serve artifacts, a flaw in its authorization logic allows unauthorized users to overwrite critical model files. This could lead to the supply chain of machine learning models being compromised, potentially enabling attackers to execute arbitrary code when compromised models are used.

  • Unauthorized users can overwrite MLflow model files.
  • This could lead to compromised machine learning supply chains.
  • Confirm relevance and assess potential impact on model integrity.

Attack Path

How an attacker could exploit the issue

An attacker with limited privileges could potentially overwrite other users' artifacts if MLflow is running with artifact serving enabled. This could involve poisoning the model supply chain or enabling arbitrary code execution if malicious models are later loaded.

  • Requires authenticated access.
  • Triggers by uploading multipart artifacts.
  • Risks include code execution and data corruption.

Live Threat

Current exploitation, exposure, and threat context

When the `--serve-artifacts` mode is enabled, unauthorized users could overwrite model artifacts belonging to other users. This could lead to the poisoning of machine learning models or potentially arbitrary code execution when compromised models are loaded.

  • Model artifacts
  • Unauthorized overwrite of artifacts
  • Model supply chain poisoning

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams managing ML platforms and the applications that rely on MLflow are likely responsible for addressing this vulnerability. The first step is to locate all MLflow deployments, confirm if they are exposed externally and critical to business operations, and then identify the specific accountable owner to plan remediation.

  • ML platform or application owners should own the issue.
  • Verify MLflow artifact endpoint reachability.
  • Plan remediation based on exposure and criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MLflow and how is it used?

MLflow is an open-source platform managed by LF Projects that supports the complete machine learning lifecycle. Data scientists and engineers use it to track experiments, package code into reproducible runs, and share models. By enabling the --serve-artifacts mode, teams turn MLflow into a centralized web-based repository for storing and retrieving model files, allowing different users in a collaborative environment to manage and access their shared machine learning assets.

What does CVE-2026-2651 mean for MLflow security?

This vulnerability involves a missing authorization check, categorized as CWE-862. Essentially, the software fails to verify if a user has permission to modify a specific file when they interact with multipart upload endpoints. This flaw allows an authenticated user to overwrite artifacts belonging to others. Because these artifacts are often used in automated pipelines, an attacker could replace legitimate models with malicious ones, potentially triggering arbitrary code execution later.

How is this MLflow vulnerability triggered?

The issue specifically impacts MLflow deployments running with the --serve-artifacts flag enabled. An attacker must have a level of authenticated access to interact with the multipart upload (MPU) endpoints. It is important to note that if the --serve-artifacts mode is disabled, the specific endpoints affected by this authorization bypass are not active, meaning that standard model logging or read-only interactions do not inherently trigger this specific vulnerability.

Is my MLflow instance at high risk?

According to Halo Surface Signal, MLflow is often deployed as a network-accessible service, making it a common target for network-based interactions. Your risk is elevated if your instance is internet-facing or reachable by untrusted users within your network. Because the vulnerability allows for cross-user writes, any deployment where multiple users share access to the same artifact server should be prioritized for review.

What should I do to secure my MLflow installation?

The primary step is to identify all running MLflow instances in your environment to determine if they are configured with --serve-artifacts. If you find affected versions, update to the version specified in the vendor's guidance. While planning for the update, restrict network access to the artifact endpoints to only trusted users or systems to prevent unauthorized manipulation of your model supply chain.

References