EUVD-2025-209100
GHSA-g6pg-52vf-843h
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Deployments using `mlflow server --app-name=basic-auth` are affected.
Analysis
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated user with no experiment permissions to read trace metadata and create unauthorized assessments. The vulnerability affects MLflow deployments running with the '--app-name=basic-auth' flag and carries a CVSS score of 8.1 (High) with network-based attack vector requiring low privilege authentication. This vulnerability was reported via the HackerOne bug bounty platform (@huntr_ai) with no public exploit identified at time of analysis.
Technical Context
MLflow is an open-source platform for managing machine learning lifecycle, including experimentation, reproducibility, and deployment. The affected component is the basic-auth application module, which implements permission-based access controls for experiment resources. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where specific API endpoints for tracing functionality and assessment creation bypass the permission validation layer. The CPE identifier (cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*) indicates broad version impact across the MLflow product line. Tracing endpoints expose metadata about ML experiment execution flows, while assessment endpoints allow annotation and evaluation of traces, both of which should be protected by the role-based access control system when basic-auth is enabled.
Affected Products
MLflow/mlflow versions running the basic-auth application are affected, as indicated by CPE cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*. The vulnerability description states 'latest version of mlflow/mlflow' suggesting recent releases are impacted. Deployments are only vulnerable when MLflow server is explicitly launched with the '--app-name=basic-auth' command-line flag. The vulnerability was documented in HuntrDev bounty report 149fb2f9-ef4b-4136-a25c-20563451904c available at https://huntr.com/bounties/149fb2f9-ef4b-4136-a25c-20563451904c. Organizations should verify their deployment configuration and whether the basic-auth module is actively enabled to determine applicability.
Remediation
Consult the HuntrDev bounty disclosure at https://huntr.com/bounties/149fb2f9-ef4b-4136-a25c-20563451904c for vendor-released patch information and specific version guidance. As an interim mitigation, implement network-layer access controls to restrict access to MLflow tracing and assessment API endpoints (/api/2.0/mlflow/traces/* and related assessment paths) to only trusted administrator IP ranges. Consider disabling the basic-auth application if multi-tenant permission enforcement is not required, or implement reverse proxy authentication with explicit endpoint-level authorization rules that enforce experiment-level permissions before proxying requests to MLflow. Review audit logs for any unauthorized trace reads or assessment creation activity by users lacking experiment permissions to identify potential exploitation. Organizations should subscribe to MLflow security advisories and monitor the GitHub repository for security-related commits addressing this permission bypass.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today