MLflow AutoML Project Exposed to Cryptography Vulnerability (CVE-2026-34073) via Outdated Dependency

An MLflow AutoML project for ambient temperature regression was found running with a critically outdated version of the `cryptography` library, exposing it to a recently disclosed security vulnerability. The project's dependency was pinned at version 41.0.0, a version released in 2023, while the current patched release is 46.0.6. The gap of over five major versions left the system unprotected against CVE-2026-34073, a security issue fixed in March 2026.

The vulnerability, CVE-2026-34073, is a bug in the `cryptography` library where name constraints were not correctly applied to peer names during certificate verification when a leaf certificate contains a wildcard DNS SAN. While the maintainers note that ordinary X.509 topologies, including those used by the Web PKI, are not affected, the presence of the flaw in any dependency handling cryptographic operations represents a significant risk. The issue was reported by researcher Oleh Konko (1seal).

The discovery highlights a persistent and critical failure in machine learning operations (MLOps) hygiene: the neglect of dependency management in production-facing data science projects. This specific AutoML project, which appears to be for a regression task, had its dependencies frozen for nearly three years, a common but dangerous practice that prioritizes model reproducibility over system security. The incident serves as a direct warning to data science and ML engineering teams about the operational risks of treating model environments as static artifacts, especially when they may be deployed or integrated into larger, secure systems.