CVE-2024-3573: mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass
Summary
MLflow (a machine learning platform) has a vulnerability where its URI parsing function incorrectly classifies certain file paths as non-local, allowing attackers to read sensitive files they shouldn't access. By crafting malicious model versions with specially crafted parameters, attackers can bypass security checks and read arbitrary files from the system.
Vulnerability Details
9.3(critical)
EPSS: 0.3%
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-3573
First tracked: February 15, 2026 at 08:46 PM
Classified by LLM (prompt v3) · confidence: 92%