MLflow Artifact Upload Authorization Bypass in Multipart Endpoints

A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

MLflow versions 3.10.1 and earlier contain a critical authorization flaw in multipart upload (MPU) endpoints when artifact serving is enabled. The `/mlflow-artifacts/mpu/*` endpoints lack resource-level permission checks, allowing attackers to write arbitrary artifacts to other users' namespaces. This vulnerability directly impacts organizations using MLflow for model management and artifact storage, particularly those with multi-tenant deployments or shared infrastructure. The risk extends beyond simple data tampering—attackers can inject malicious models into the supply chain, leading to arbitrary code execution when downstream systems load and execute compromised artifacts.

Casky's 261 matched skills leverage Claude's extended reasoning to detect the attack patterns associated with MITRE techniques TA0004 (Privilege Escalation) and TA0006 (Credential Access). Practitioners using Casky would identify suspicious patterns including: unauthorized cross-user write operations to artifact endpoints, unexpected modifications to model files outside normal deployment workflows, and anomalous multipart upload sequences that bypass authentication checks. The platform's skill mapping would flag improper authorization enforcement as a privilege escalation technique, while highlighting the supply chain compromise risk inherent in artifact injection attacks. Security teams would see detailed findings on resource-level access control failures and recommendations for implementing proper permission validation on all artifact manipulation endpoints.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-2651.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-2651

Casky has 261 skills that investigate the attack patterns behind CVE-2026-2651. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn