Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 pypi packages depend on mlflow (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.10.0.
DescriptionCVE.org
In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of SearchModelVersions in the BEFORE_REQUEST_VALIDATORS and AFTER_REQUEST_HANDLERS for the REST API, and its omission from GraphQLAuthorizationMiddleware.PROTECTED_FIELDS for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0.
AnalysisAI
Missing post-response authorization filtering in MLflow's self-hosted server exposes all registered model version metadata to any authenticated user, regardless of their per-model permission level. Both the REST API endpoint SearchModelVersions and the GraphQL query mlflowSearchModelVersions were absent from the authorization middleware chains in versions up to 3.9.0, allowing a low-privilege authenticated user to enumerate model names, version descriptions, source artifact URIs, tags, and other metadata across all registered models in multi-tenant deployments. No public exploit identified at time of analysis; the vendor-released patch is confirmed in version 3.10.0.
Technical ContextAI
MLflow's self-hosted tracking server implements basic HTTP authentication via the mlflow.server.auth module. Authorization is enforced through two complementary hooks: BEFORE_REQUEST_VALIDATORS (pre-request permission checks) and AFTER_REQUEST_HANDLERS (post-response result filtering). The fix commit confirms that SearchModelVersions was absent from both the BEFORE_REQUEST_VALIDATORS and AFTER_REQUEST_HANDLERS registries, meaning no pre-check blocked the request and no filter_search_model_versions function was applied to strip unauthorized model versions from the response. For the GraphQL surface, GraphQLAuthorizationMiddleware maintained a PROTECTED_FIELDS list and a resolve() pipeline, but mlflowSearchModelVersions was missing from PROTECTED_FIELDS and no _post_resolve filtering existed. The root cause is CWE-284 (Improper Access Control) - a missing enforcement point on a data retrieval path, not a logic bypass or injection. The affected CPE is cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*, covering all versions through 3.9.0 on the self-hosted deployment path.
RemediationAI
Upgrade to MLflow 3.10.0, which is the vendor-released patch confirmed by the upstream commit. The fix registers SearchModelVersions into AFTER_REQUEST_HANDLERS with a new filter_search_model_versions function that filters returned model versions based on the authenticated user's registered model permissions, and adds mlflowSearchModelVersions to the GraphQL _post_resolve pipeline with equivalent filtering logic. The fix commit is at https://github.com/mlflow/mlflow/commit/6989066af33fdcb03588fd71a1a67f8fc5ef12c9. If immediate upgrade is not possible, a compensating control is to place the MLflow tracking server behind a network perimeter accessible only to fully trusted users, which reduces the attacker pool but does not eliminate the authorization gap - any user who can authenticate retains full enumeration capability. A second compensating control is to block or rewrite requests to /ajax-api/2.0/mlflow/model-versions/search and the GraphQL endpoint at a reverse proxy layer; this prevents exploitation at the cost of disabling legitimate model version search functionality for all users.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31210
GHSA-w5xq-c4pf-ghq7