CNNVD-202601-1855 Information
CNNVD ID
CNNVD-202601-1855
Related CVE
- CNNVD Published: 2026-01-12
Description (Chinese)
MLflow是MLflow开源的一个简化机器学习开发的平台,包括跟踪实验、将代码打包成可重复的运行以及共享和部署模型。 MLflow 3.4.0及之前版本存在访问控制错误漏洞,该漏洞源于MLFlow REST服务器缺少Origin标头验证,可能导致恶意网站绕过同源策略保护并对REST端点执行未授权调用,从而引发数据渗漏、破坏或篡改。
Description (English)
MLFlow is a simplified machine learning development platform for the MLFlow Open Source, which includes tracking experiments, packing codes into duplicated operations and sharing and deployment models. MLFlow 3.4.0 and previous versions have access control error loopholes that stem from the lack of Origin header validation on the MLFlow RRT server, which may result in malicious websites bypassing the co-source protection and performing unauthorized calls on the RRT endpoint, thereby triggering data leakage, sabotage or manipulation.
Hazard Level
Medium
Vulnerability Type
访问控制错误
Affected Vendor
MLflow
Published
2026-01-12
Last Modified
2026-02-24
References
https://github.com/mlflow/mlflow/commit/b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3 https://huntr.com/bounties/ef478f72-2e4f-44dc-8055-fc06bef03108
Patch
https://github.com/mlflow/mlflow/releases
Share on: