Headline
GHSA-pgqp-8h46-6x4j: MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-14279
MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation
High severity GitHub Reviewed Published Jan 12, 2026 to the GitHub Advisory Database • Updated Jan 13, 2026
Affected versions
< 3.5.0
Description
Published to the GitHub Advisory Database
Jan 12, 2026
Last updated
Jan 13, 2026