Bounties
Partners
Community
Info
mlflow / mlflow
Project repository
Open source platform for the machine learning lifecycle
Submit a report
FIRST INTERACTION
WITHIN
3 DAYS
REVIEW
WITHIN
3 DAYS
FIX
WITHIN
N/A DAYS
Broken Access Control: 31 v3 API Endpoints Missing Authorization Validators in M...
Mar 31st 2026
lewlademp
•
duplicate
High
Zero-Click Remote Code Execution (RCE) via Deserialization in mlflow.genai.list_...
Mar 31st 2026
samir-atra
•
duplicate
Critical
Arbitrary Module Import via pickle_module_info.txt in MLflow PyTorch Model Loadi...
Mar 31st 2026
hacnho
•
duplicate
High
Arbitrary File Read via Tar Symlink Bypass of Path Traversal Fix in mlflow/mlflo...
Mar 31st 2026
hacnho
•
duplicate
Medium
Default config allows unauthenticated pickle RCE via model upload API
Mar 31st 2026
csaw-admin
•
duplicate
Critical
Vulnerability Report: Remote Code Execution (RCE) in `mlflow.genai.scorers`
Mar 29th 2026
samir-atra
•
duplicate
Critical
_safe_extractall() TOCTOU Bypass Allows Arbitrary File Write Through Crafted Mod...
Mar 26th 2026
willardjansen
•
duplicate
High
Path Traversal in `LocalArtifactRepository.delete_artifacts()` allows arbitrary...
Mar 26th 2026
caoxuyang
•
duplicate
High
Remote Code Execution via unsanitized `func_name` in `exec()` call in `recreate_...
Mar 26th 2026
caoxuyang
•
duplicate
Critical
Incomplete fix for PR #18964: delete_artifacts() still missing validate_path_wit...
Mar 26th 2026
gengyscan
•
duplicate
High
Path Traversal in Multipart Upload Artifact Endpoints
Mar 26th 2026
scruge1
•
duplicate
High
Arbitrary File Read/Write via Tar Hardlink Bypass in check_tarfile_security
Mar 31st 2026
akasxh
•
duplicate
Critical
check_tarfile_security() validates symlinks but not hardlinks, allowing arbitrar...
Mar 31st 2026
scruge1
•
duplicate
Medium
Multiple deserialization paths bypass MLFLOW_ALLOW_PICKLE_DESERIALIZATION safe...
Mar 31st 2026
scruge1
•
duplicate
High
Unsafe pickle.load() Without Safety Gate in PickleEvaluationArtifact
Mar 19th 2026
twsky100
•
duplicate
High
Alternative unauthenticated entry point to scorer exec() via Jobs API bypasses f...
Mar 19th 2026
den-sec
•
duplicate
Critical
Remote Code Execution via Unguarded pickle.load() in PickleEvaluationArtifact
Mar 19th 2026
snailsploit
•
duplicate
Critical
Pickle deserialization guard bypass in PickleEvaluationArtifact
Mar 19th 2026
buttergolemcode
•
duplicate
High
Insecure Default: `MLFLOW_ALLOW_PICKLE_DESERIALIZATION=True` Bypasses Deserializ...
Mar 31st 2026
artqcid
•
duplicate
High
SSRF via Unvalidated URL in mlflow.projects.run()
Mar 17th 2026
wheresfrank
•
duplicate
High
Server-Side Request Forgery (SSRF) in MLflow Gateway via unvalidated api_base UR...
Mar 17th 2026
elucidator-hky
•
duplicate
Critical
ReDoS via RLIKE operator in Trace Search API allows unauthenticated denial of se...
Mar 17th 2026
elucidator-hky
•
duplicate
High
Authorization bypass in Evaluation Dataset, Assessment, and Issue APIs allows an...
Mar 17th 2026
elucidator-hky
•
duplicate
High
RCE via unsanitized exec() in scorer deserialization at /ajax-api/3.0/mlflow/sco...
Mar 17th 2026
victoratus
•
duplicate
High
Systematic Missing Authorization on V3.0 API Endpoints Allows Cross-User Data Ac...
Mar 17th 2026
elucidator-hky
•
duplicate
High
CRLF Log Injection via Unsanitized Host and Origin Headers in Security Middlewar...
Mar 16th 2026
pelegs202-design
•
not applicable
Missing Authorization on Issues and Assessments API Endpoints
Mar 17th 2026
joshuaswanson
•
duplicate
High
Unsafe torch.load() in MLflow PyTorch Integration Enables RCE via Malicious Mode...
Mar 16th 2026
odysseypro25-project
•
not applicable
Unsafe pickle.load() and cloudpickle.load() in MLflow sklearn/pyfunc/dspy Enable...
Mar 16th 2026
odysseypro25-project
•
spam
Password Validation Bypassed on Password Update Allowing Single-Character Passwo...
Mar 16th 2026
pelegs202-design
•
not applicable
Gateway Passthrough Forwards Arbitrary Client Headers to LLM Providers Enabling...
Mar 16th 2026
pelegs202-design
•
not applicable
Cross-Site Request Forgery on All State-Changing API Endpoints Due to Disabled C...
Mar 16th 2026
pelegs202-design
•
not applicable
MLflow Pickle Deserialization RCE via Insecure Model Loading
Mar 15th 2026
skykan999
•
self closed
MLflow Pickle Deserialization RCE via Insecure Model Loading
Mar 15th 2026
skykan999
•
self closed
Full-Read SSRF via Unvalidated api_base in Gateway Endpoint Configuration
Mar 17th 2026
2201029-cyber
•
duplicate
High
Exception Details Leaked to HTTP Clients via Error Response Serialization
Mar 16th 2026
pelegs202-design
•
not applicable
RLIKE Regex Injection into Database Engine via Trace Search API
Mar 17th 2026
pelegs202-design
•
duplicate
High
Type Coercion in is_admin Parameter Causes Privilege Escalation via Truthy Strin...
Mar 17th 2026
pelegs202-design
•
not applicable
Hardcoded Default Admin Credentials Enable Unauthenticated Full Server Takeover
Mar 16th 2026
pelegs202-design
•
not applicable
SQL Injection via Unparameterized type_text in Unity Catalog Function Invocation
Mar 17th 2026
pelegs202-design
•
spam
Fail-Open Authorization: 30+ Auth-Plugin Endpoints Missing Permission Validators
Mar 16th 2026
pelegs202-design
•
spam
Arbitrary Code Execution via Unconstrained importlib.import_module in PyTorch Mo...
Mar 16th 2026
pelegs202-design
•
spam
Arbitrary Code Execution via Unconstrained importlib.import_module in LlamaIndex...
Mar 16th 2026
pelegs202-design
•
spam
Missing path validation in delete_artifacts() across multiple ArtifactRepository...
Mar 15th 2026
eistee82
•
self closed
Explicit weights_only=False in _load_pyfunc() enables RCE via Remote Model URI i...
Mar 16th 2026
theoddesseyp-ai
•
not applicable
Security Check Bypass in check_tarfile_security — Symlink Target Not Validated
Mar 31st 2026
goblinmode2700
•
duplicate
None
Zip Slip Arbitrary File Write in Spark Model Distribution
Mar 16th 2026
goblinmode2700
•
spam
Zip Slip Arbitrary File Write via Malicious Project Archive
Mar 16th 2026
goblinmode2700
•
spam
check_tarfile_security Bypass via Empty-Named Symlink Chain Enables Arbitrary Fi...
Mar 26th 2026
psdat123
•
duplicate
Critical
Broken Access Control on Issue/Assessment/Dataset/TraceV3 APIs — any authenticat...
Mar 17th 2026
romain-deperne
•
duplicate
Medium
IDOR on Issue Management API — Any Authenticated User Can Read, Modify and Enume...
Mar 17th 2026
prabhalendamuri15-lab
•
duplicate
High
Arbitrary Code Execution via importlib.import_module() with Model-Artifact-Contr...
Mar 16th 2026
elucidator-hky
•
spam
Authenticated Read/Delete Authorization Bypass on Evaluation Datasets
Mar 17th 2026
ch1nhpd
•
duplicate
High
Arbitrary Code Execution via Attacker-Controlled Pickle Module Import Bypasses _...
Mar 16th 2026
elucidator-hky
•
self closed
Arbitrary code execution via unsafe pickle.load() and cloudpickle.load() in mult...
Mar 16th 2026
elucidator-hky
•
self closed
Zip Slip Vulnerability in Project Fetching Allows Arbitrary File Write
Mar 16th 2026
elucidator-hky
•
self closed
Arbitrary Code Execution via Scorer Deserialization in _invoke_scorer_handler
Mar 17th 2026
odysseypro25-project
•
duplicate
None
Show more...
CRITICAL
$1500
HIGH
$750
MEDIUM
$125
LOW
$20
