CNNVD-202602-117 Information
CNNVD ID
CNNVD-202602-117
Related CVE
- CNNVD Published: 2026-02-02
Description (Chinese)
MLflow是MLflow开源的一个简化机器学习开发的平台,包括跟踪实验、将代码打包成可重复的运行以及共享和部署模型。 MLflow 2.20.3版本存在安全漏洞,该漏洞源于为创建Python虚拟环境分配的临时目录权限不安全,可能导致利用竞争条件覆盖虚拟环境中的.py文件,从而执行任意代码。
Description (English)
MLFlow is a simplified machine learning development platform for the MLFlow Open Source, which includes tracking experiments, packing codes into duplicated operations and sharing and deployment models. MLFlow version 2.20.3 contains a security loophole, which stems from the unsafe allocation of temporary catalogue rights to create a Python virtual environment, which may lead to the use of competitive conditions to cover the …py files in the virtual environment and thus enforce arbitrary codes.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
MLflow
Published
2026-02-02
Last Modified
2026-02-24
References
https://huntr.com/bounties/01d3b81e-13d1-43aa-b91a-443aec68bdc8 https://github.com/mlflow/mlflow/commit/1d7c8d4cf0a67d407499a8a4ffac387ea4f8194a https://access.redhat.com/security/cve/cve-2025-10279
Patch
https://github.com/mlflow/mlflow/releases
Share on: