CVE-2025-14279HIGH 8.1EPSS p9.2%

CVE-2025-14279CVE-2025-14279

Description

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.

Scoring

CVSS 3.08.1 (HIGH)
VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS0.19% probability of exploitation · percentile 9.2% · 2026-06-18T12:00:27Z
Published2026-01-12
Last modified2026-04-14

Underlying weaknesses· 1

CWE-346

References

  1. https://github.com/mlflow/mlflow/commit/b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3
  2. https://huntr.com/bounties/ef478f72-2e4f-44dc-8055-fc06bef03108

1

TypeTargetConfidenceTier
WeaknessOrigin Validation Errorcwe-3460%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-2611
CVE
Langflow Origin Validation Error Vulnerability
CVE
CVE-2025-15379
CVE
CVE-2025-14287
CVE
CVE-2026-2652
CVE
CVE-2026-2651
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.