{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-2614","assignerOrgId":"c09c270a-b464-47c1-9133-acb35b22c19a","state":"PUBLISHED","assignerShortName":"@huntr_ai","dateReserved":"2026-02-17T06:46:27.686Z","datePublished":"2026-05-11T19:02:46.025Z","dateUpdated":"2026-07-06T12:05:05.081Z"},"containers":{"cna":{"title":"Arbitrary File Read via Prompt Tag Source Validation Bypass in mlflow/mlflow","providerMetadata":{"orgId":"c09c270a-b464-47c1-9133-acb35b22c19a","shortName":"@huntr_ai","dateUpdated":"2026-05-11T19:02:46.025Z"},"descriptions":[{"lang":"en","value":"A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0."}],"affected":[{"vendor":"mlflow","product":"mlflow/mlflow","versions":[{"version":"unspecified","lessThan":"3.10.0","status":"affected","versionType":"custom"}]}],"references":[{"url":"https://huntr.com/bounties/19380271-3fbf-4beb-987e-6fd7069c55e6"},{"url":"https://github.com/mlflow/mlflow/commit/6e801f4259d96804c73107315b24cef0f6aa115a"}],"metrics":[{"cvssV3_0":{"version":"3.0","attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","cweId":"CWE-22"}]}],"source":{"advisory":"19380271-3fbf-4beb-987e-6fd7069c55e6","discovery":"EXTERNAL"}},"adp":[{"references":[{"url":"https://huntr.com/bounties/19380271-3fbf-4beb-987e-6fd7069c55e6","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-12T13:32:48.303922Z","id":"CVE-2026-2614","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-12T13:33:20.949Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openshift_ai:3.4::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 3.4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"}],"datePublic":"2026-05-11T19:02:46.025Z","descriptions":[{"lang":"en","value":"A flaw was found in mlflow. An unauthenticated remote attacker can exploit a vulnerability in the `_create_model_version()` handler by including a specific tag, `mlflow.prompt.is_prompt`, in a `CreateModelVersion` request. This bypasses source path validation, allowing the attacker to specify an arbitrary local filesystem path as the model version source. Subsequently, the `get_model_version_artifact_handler()` function serves files from this unverified source, leading to the disclosure of arbitrary files from the server's filesystem and a complete confidentiality compromise."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-2614"},{"name":"RHBZ#2469309","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2469309"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2614.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:34456"}],"solutions":[{"lang":"en","value":"RHSA-2026:34456: Red Hat OpenShift AI 3.4"}],"timeline":[{"lang":"en","time":"2026-05-11T20:05:23.444Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-11T19:02:46.025Z","value":"Made public."}],"title":"mlflow: mlflow: Arbitrary file read via bypassed source path validation","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-06T12:05:05.081Z"}}]}}