Suggestions search

Published

Filter by:

With package: mlflow-server

Found 3 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-33865

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 2 weeks ago
@LeSuisse ignored
4 packages
- python312Packages.sagemaker-mlflow
- python313Packages.sagemaker-mlflow
- python314Packages.sagemaker-mlflow
- pkgsRocm.python3Packages.sagemaker-mlflow
1 month, 2 weeks ago
@LeSuisse accepted 1 month, 2 weeks ago
@LeSuisse published on GitHub 1 month, 2 weeks ago

Stored XSS via unsafe YAML parsing in MLflow

MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1

References

https://github.com/mlflow/mlflow/pull/21435 patch
https://cert.pl/en/posts/2026/04/CVE-2026-33865/ third-party-advisory

Affected products

mlfolw

=<3.10.1

Matching in nixpkgs

pkgs.mlflow-server

Open source platform for the machine learning lifecycle

nixos-unstable 3.8.1
- nixpkgs-unstable 3.8.1
- nixos-unstable-small 3.8.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.pkgsRocm.mlflow-server

Open source platform for the machine learning lifecycle

nixos-unstable 3.8.1
- nixpkgs-unstable 3.8.1
- nixos-unstable-small 3.8.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python312Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable 3.8.1
- nixpkgs-unstable 3.8.1
- nixos-unstable-small 3.8.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable 3.8.1
- nixpkgs-unstable 3.8.1
- nixos-unstable-small 3.8.1

pkgs.pkgsRocm.python3Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable 3.8.1
- nixpkgs-unstable 3.8.1
- nixos-unstable-small 3.8.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

Ignored packages (4)

pkgs.python312Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

pkgs.python313Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0
nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

pkgs.python314Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0

pkgs.pkgsRocm.python3Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0
nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

Package maintainers

@tbenst Tyler Benster <nix@tylerbenster.com>

Permalink CVE-2026-33866

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 2 weeks ago
@LeSuisse ignored
4 packages
- python312Packages.sagemaker-mlflow
- python313Packages.sagemaker-mlflow
- python314Packages.sagemaker-mlflow
- pkgsRocm.python3Packages.sagemaker-mlflow
1 month, 2 weeks ago
@LeSuisse accepted 1 month, 2 weeks ago
@LeSuisse published on GitHub 1 month, 2 weeks ago

Authorization Bypass in MLflow AJAX Endpoint

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1

References

https://github.com/mlflow/mlflow/pull/21708 patch
https://cert.pl/en/posts/2026/04/CVE-2026-33865/ third-party-advisory

Affected products

mlflow

=<3.10.1

Matching in nixpkgs

pkgs.mlflow-server

Open source platform for the machine learning lifecycle

nixos-unstable 3.8.1
- nixpkgs-unstable 3.8.1
- nixos-unstable-small 3.8.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.pkgsRocm.mlflow-server

Open source platform for the machine learning lifecycle

nixos-unstable 3.8.1
- nixpkgs-unstable 3.8.1
- nixos-unstable-small 3.8.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python312Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable 3.8.1
- nixpkgs-unstable 3.8.1
- nixos-unstable-small 3.8.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable 3.8.1
- nixpkgs-unstable 3.8.1
- nixos-unstable-small 3.8.1

pkgs.pkgsRocm.python3Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable 3.8.1
- nixpkgs-unstable 3.8.1
- nixos-unstable-small 3.8.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

Ignored packages (4)

pkgs.python312Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

pkgs.python313Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0
nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

pkgs.python314Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0

pkgs.pkgsRocm.python3Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0
nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

Package maintainers

@tbenst Tyler Benster <nix@tylerbenster.com>

Permalink CVE-2026-2635

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
4 packages
- pkgsRocm.python3Packages.sagemaker-mlflow
- python314Packages.sagemaker-mlflow
- python313Packages.sagemaker-mlflow
- python312Packages.sagemaker-mlflow
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

MLflow Use of Default Password Authentication Bypass Vulnerability

MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.

References

ZDI-26-111 x_research-advisory
vendor-provided URL vendor-advisory

Affected products

MLflow

==3.4.0

Matching in nixpkgs

pkgs.mlflow-server

Open source platform for the machine learning lifecycle

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.pkgsRocm.mlflow-server

Open source platform for the machine learning lifecycle

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python312Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.pkgsRocm.python3Packages.mlflow

Open source platform for the machine learning lifecycle

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

Ignored packages (4)

pkgs.python312Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

pkgs.python313Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0
nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

pkgs.python314Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0

pkgs.pkgsRocm.python3Packages.sagemaker-mlflow

MLFlow plugin for SageMaker

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0
nixos-25.11 0.1.1
- nixos-25.11-small 0.1.1
- nixpkgs-25.11-darwin 0.1.1

Package maintainers

@tbenst Tyler Benster <nix@tylerbenster.com>

Upstream PR: https://github.com/mlflow/mlflow/pull/19260
ZDI advisory: https://www.zerodayinitiative.com/advisories/ZDI-26-111/