CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
Summary
CVE-2024-37052 is a vulnerability in MLflow (a machine learning platform) version 1.1.0 and newer where deserialization of untrusted data (converting data from an external format back into code without checking if it's safe) allows a malicious scikit-learn model (a machine learning library) to execute arbitrary code on a user's system when the model is loaded and used. This means an attacker could upload a harmful model that runs malicious commands when someone interacts with it.
Vulnerability Details
8.8(high)
EPSS: 0.4%
Classification
Affected Vendors
Related Issues
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
CVE-2025-14927: Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability al
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-37052
First tracked: February 15, 2026 at 08:42 PM
Classified by LLM (prompt v3) · confidence: 92%