cd /news/machine-learning/kubeflow-audit-complete · home topics machine-learning article
[ARTICLE · art-37946] src=ostif.org ↗ pub= topic=machine-learning verified=true sentiment=· neutral

Kubeflow Audit Complete

The Open Source Technology Improvement Fund completed a security audit of Kubeflow, auditing six projects in its ecosystem with 14 findings including three critical vulnerabilities. The audit, performed by ADA Logics and supported by the Cloud Native Computing Foundation, included fuzzing, code review, and threat modeling. Kubeflow maintainers have addressed the issues, and users are urged to update to the latest release.

read2 min views1 publishedJun 24, 2026

The Open Source Technology Improvement Fund is proud to share the results of our security audit of Kubeflow. Kubeflow functions for building and deploying customizable machine learning workflows in Kubernetes, and has many subprojects able to be implemented individually or in combination. Thanks to ADA Logics and the Cloud Native Computing Foundation, Kubeflow underwent a custom security engagement that audited 6 projects in the Kubeflow ecosystem.

Audit Process:

In late summer of 2025, two security engineers from ADA Logics performed a holistic review of a selection of projects in the Kubeflow ecosystem: Katib, Trainer, Spark Operator, Notebooks, Model Registry, and Pipelines. These audits included CI testing, fuzzing work, thread modeling, code review, and supply chain security review for each of the projects. Read more about each project’s results in the audit report linked below.

Audit Results:

  • 14 Findings with Security Impact

  • 3 Critical

  • 7 Moderate

  • 2 Low

  • 2 Informational

  • OpenSSF Scorecard assessments of all 6 projects

  • Custom threat modelling documentation for all 6 projects

  • Fuzzing implemented for 4 projects: Katib, Pipeline, Spark Operator, and Model Registry

  • Custom documentation of the audit scope, discovery, and findings with security impact.

Kubeflow maintainers and community worked to resolve and address the issues reported during this engagement. To take advantage of the work done, update to the most recent release of Kubeflow.

As machine learning rapidly advances and changes the open source environment, engagements that holistically engage with projects in Artificial Intelligence (AI) are important to the ecosystem. They create documentation about the security implications of a project at a given time in order to help maintainers with future development as well as educate users on safe and best practices in the code they are utilizing in AI.

Thank you to the individuals and groups that made this engagement possible:

  • Kubeflow maintainers and community, especially: Julius Von Kojout, Matthew Wicks, Francisco Arceo, Humair Kahn, Jeff Spahr, Andy Stoneberg, and Andrey Velichkevich
  • ADA Logics: Adam Korczynski and David Korczynski
  • Cloud Native Computing Foundation

You can read the Audit Report HERE

Everyone around the world depends on open source software. If you’re interested in supporting this critical work, reach out to us!

source & further reading
ostif.org — original article
── more in #machine-learning 4 stories · sorted by recency
── more on @open source technology improvement fund 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/kubeflow-audit-compl…] indexed:0 read:2min 2026-06-24 ·