Primary

Context

MLflow Cross-Site Request Forgery Vulnerability in Signup Feature

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Signup feature of MLflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which could be used to perform unauthorized actions on behalf of the user.

Impact

Exploitation of this vulnerability could lead to unauthorized account creation and actions performed under that account.

Reproduction

To reproduce this vulnerability, log into an MLflow instance running a vulnerable version. Enable basic authentication and navigate to the signup page. An attacker could exploit the CSRF vulnerability by tricking a user into signing up, potentially using the new account to perform unauthorized actions.

Remediation

Users can disable CSRF protection by setting the 'MLFLOW_FLASK_SERVER_SECRET_KEY' environment variable to 'None'. However, this may expose the application to other CSRF-related vulnerabilities.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

0.6

exploitability

7.0

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

0.6

exploitability

7.0

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MLflow Cross-Site Request Forgery Vulnerability in Signup Feature

Vulnerability

Impact

Reproduction

Remediation

Affected Products

mlflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating