CVE-2025-14279 HIGH

CVE-2025-14279: DNS Rebinding Vulnerability in mlflow/mlflow

Vendor Mlflow
Product mlflow/mlflow
Weakness CWE-346 · Origin validation
Published January 12, 2026
Last update January 12, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.

Key dates

02Disclosure timeline

January 12, 2026 CVE published
January 12, 2026 Record updated