MLflow and its community take security bugs seriously. We appreciate efforts to improve the security of MLflow and follow the GitHub coordinated disclosure of security vulnerabilities for responsible disclosure and prompt mitigation. We are committed to working with security researchers to resolve the vulnerabilities they discover.

The latest version of MLflow has continued support. If a critical vulnerability is found in the current version of MLflow, we may opt to backport patches to previous versions.

Due to an excessive volume of low-quality, AI-generated reports (including duplicates, low-effort submissions, non-reproducible claims, and spam), we no longer accept vulnerability reports through bounty platforms such as Huntr. All reports submitted through such platforms will be automatically closed without review.

Please use the reporting process described below instead.

When finding a security vulnerability in MLflow, please report it through GitHub's private vulnerability reporting. Include detailed information about the security vulnerability, evidence that supports the relevance of the finding, and any reproducibility instructions for independent confirmation. Do not disclose vulnerability details publicly until coordinated disclosure has been completed.

MLflow maintainers will review and validate your report within the associated GitHub Security Advisory, using it to coordinate private discussion of the vulnerability details, develop a fix, and publicly disclose the issue after the fix has been released.