CVE-2026-4137

Name of the Vulnerable Software and Affected Versions mlflow versions prior to 3.11.0

Description The get or create nfs tmp dir() function in mlflow/utils/file utils.py creates temporary directories with world-writable permissions (0o777), and the create model downloading tmp dir() function in mlflow/pyfunc/ init .py creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, leading to arbitrary code execution when the tampered artifacts are deserialized via cloudpickle.load(). This issue is especially critical in environments with shared NFS (Network File System) mounts, such as Databricks, where NFS is enabled by default.

Recommendations Update to version 3.11.0 or later. As a temporary workaround, restrict access to the get or create nfs tmp dir() and create model downloading tmp dir() functions or the directories they create to minimize the risk of exploitation.