CVE-2025-1473: A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.
highvulnerability
security
Summary
A CSRF vulnerability (cross-site request forgery, where an attacker tricks a user into performing unwanted actions on a website) exists in the Signup feature of MLflow versions 2.17.0 to 2.20.1, allowing attackers to create unauthorized accounts. This could enable an attacker to perform malicious actions while appearing to be a legitimate user.
Solution / Mitigation
A patch is available at https://github.com/mlflow/mlflow/commit/ecfa61cb43d3303589f3b5834fd95991c9706628.
Vulnerability Details
CVSS Score
7.1(high)
EPSS (30-day exploit probability)
EPSS: 0.1%
Classification
Attack Type
Other
Attack SophisticationTrivial
Impact (CIA+S)
integrity
AI Component TargetedFramework
Taxonomy References
CWE (Weakness Type)
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-1473
First tracked: February 15, 2026 at 08:46 PM
Classified by LLM (prompt v3) · confidence: 85%