Cyber Resilience

CVE-2025-14279

HighPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3 8.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0019 9.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-14279 is a high-severity Origin Validation Error (CWE-346) vulnerability in Lfprojects Mlflow. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls…

more

against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mlflow

Related Threats

Affected Assets

lfprojects
mlflow
≤ 3.5.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-346

Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.

addresses: CWE-346

Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.

addresses: CWE-346

Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.

addresses: CWE-346

Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.

addresses: CWE-346

Mandates origin validation so that only legitimate endpoints can continue the authenticated session.

References