Skip to main content

MLflow CVE-2026-2734

| EUVDEUVD-2026-31210 MEDIUM
Improper Access Control (CWE-284)
2026-05-21 @huntr_ai GHSA-w5xq-c4pf-ghq7
6.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 21, 2026 - 06:01 EUVD
Source Code Evidence Fetched
May 21, 2026 - 05:14 vuln.today
Analysis Generated
May 21, 2026 - 05:14 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on mlflow (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.10.0.

DescriptionCVE.org

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of SearchModelVersions in the BEFORE_REQUEST_VALIDATORS and AFTER_REQUEST_HANDLERS for the REST API, and its omission from GraphQLAuthorizationMiddleware.PROTECTED_FIELDS for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0.

AnalysisAI

Missing post-response authorization filtering in MLflow's self-hosted server exposes all registered model version metadata to any authenticated user, regardless of their per-model permission level. Both the REST API endpoint SearchModelVersions and the GraphQL query mlflowSearchModelVersions were absent from the authorization middleware chains in versions up to 3.9.0, allowing a low-privilege authenticated user to enumerate model names, version descriptions, source artifact URIs, tags, and other metadata across all registered models in multi-tenant deployments. No public exploit identified at time of analysis; the vendor-released patch is confirmed in version 3.10.0.

Technical ContextAI

MLflow's self-hosted tracking server implements basic HTTP authentication via the mlflow.server.auth module. Authorization is enforced through two complementary hooks: BEFORE_REQUEST_VALIDATORS (pre-request permission checks) and AFTER_REQUEST_HANDLERS (post-response result filtering). The fix commit confirms that SearchModelVersions was absent from both the BEFORE_REQUEST_VALIDATORS and AFTER_REQUEST_HANDLERS registries, meaning no pre-check blocked the request and no filter_search_model_versions function was applied to strip unauthorized model versions from the response. For the GraphQL surface, GraphQLAuthorizationMiddleware maintained a PROTECTED_FIELDS list and a resolve() pipeline, but mlflowSearchModelVersions was missing from PROTECTED_FIELDS and no _post_resolve filtering existed. The root cause is CWE-284 (Improper Access Control) - a missing enforcement point on a data retrieval path, not a logic bypass or injection. The affected CPE is cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*, covering all versions through 3.9.0 on the self-hosted deployment path.

RemediationAI

Upgrade to MLflow 3.10.0, which is the vendor-released patch confirmed by the upstream commit. The fix registers SearchModelVersions into AFTER_REQUEST_HANDLERS with a new filter_search_model_versions function that filters returned model versions based on the authenticated user's registered model permissions, and adds mlflowSearchModelVersions to the GraphQL _post_resolve pipeline with equivalent filtering logic. The fix commit is at https://github.com/mlflow/mlflow/commit/6989066af33fdcb03588fd71a1a67f8fc5ef12c9. If immediate upgrade is not possible, a compensating control is to place the MLflow tracking server behind a network perimeter accessible only to fully trusted users, which reduces the attacker pool but does not eliminate the authorization gap - any user who can authenticate retains full enumeration capability. A second compensating control is to block or rewrite requests to /ajax-api/2.0/mlflow/model-versions/search and the GraphQL endpoint at a reverse proxy layer; this prevents exploitation at the cost of disabling legitimate model version search functionality for all users.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

Vendor StatusVendor

Share

CVE-2026-2734 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy