{"api_version":"1","generated_at":"2026-05-19T04:24:09+00:00","cve":"CVE-2026-4137","urls":{"html":"https://cve.report/CVE-2026-4137","api":"https://cve.report/api/cve/CVE-2026-4137.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-4137","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-4137"},"summary":{"title":"Incomplete Fix for CVE-2025-10279: Insecure Temporary Directory Permissions in mlflow/mlflow","description":"In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.","state":"PUBLISHED","assigner":"@huntr_ai","published_at":"2026-05-18 21:16:40","updated_at":"2026-05-18 21:16:40"},"problem_types":["CWE-378","CWE-378 CWE-378 Creation of Temporary File With Insecure Permissions"],"metrics":[{"version":"3.0","source":"security@huntr.dev","type":"Secondary","score":"7","severity":"HIGH","vector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.0","source":"CNA","type":"DECLARED","score":"7","severity":"HIGH","vector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.0"}}],"references":[{"url":"https://github.com/mlflow/mlflow/commit/1dcbb0c2fbd1f446c328830e601ca13a28219b8a","name":"https://github.com/mlflow/mlflow/commit/1dcbb0c2fbd1f446c328830e601ca13a28219b8a","refsource":"security@huntr.dev","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://huntr.com/bounties/648dc30b-76c7-4433-86b8-f43d926fd8d6","name":"https://huntr.com/bounties/648dc30b-76c7-4433-86b8-f43d926fd8d6","refsource":"security@huntr.dev","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-4137","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4137","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"mlflow","product":"mlflow/mlflow","version":"affected unspecified 3.11.0 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"mlflow/mlflow","vendor":"mlflow","versions":[{"lessThan":"3.11.0","status":"affected","version":"unspecified","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed."}],"metrics":[{"cvssV3_0":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-378","description":"CWE-378 Creation of Temporary File With Insecure Permissions","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-18T20:26:23.104Z","orgId":"c09c270a-b464-47c1-9133-acb35b22c19a","shortName":"@huntr_ai"},"references":[{"url":"https://huntr.com/bounties/648dc30b-76c7-4433-86b8-f43d926fd8d6"},{"url":"https://github.com/mlflow/mlflow/commit/1dcbb0c2fbd1f446c328830e601ca13a28219b8a"}],"source":{"advisory":"648dc30b-76c7-4433-86b8-f43d926fd8d6","discovery":"EXTERNAL"},"title":"Incomplete Fix for CVE-2025-10279: Insecure Temporary Directory Permissions in mlflow/mlflow"}},"cveMetadata":{"assignerOrgId":"c09c270a-b464-47c1-9133-acb35b22c19a","assignerShortName":"@huntr_ai","cveId":"CVE-2026-4137","datePublished":"2026-05-18T20:26:23.104Z","dateReserved":"2026-03-13T15:15:45.839Z","dateUpdated":"2026-05-18T20:26:23.104Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-18 21:16:40","lastModifiedDate":"2026-05-18 21:16:40","problem_types":["CWE-378","CWE-378 CWE-378 Creation of Temporary File With Insecure Permissions"],"metrics":{"cvssMetricV30":[{"source":"security@huntr.dev","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"4137","Ordinal":"1","Title":"Incomplete Fix for CVE-2025-10279: Insecure Temporary Directory ","CVE":"CVE-2026-4137","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"4137","Ordinal":"1","NoteData":"In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.","Type":"Description","Title":"Incomplete Fix for CVE-2025-10279: Insecure Temporary Directory "}]}}}