Skip to main content

MLflow CVE-2026-3198

| EUVDEUVD-2026-33880 MEDIUM
Improper Access Control (CWE-284)
2026-06-02 @huntr_ai GHSA-r5m9-wm49-959f
6.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 04:15 vuln.today

DescriptionCVE.org

MLflow 3.9.0 with basic-auth (--app-name basic-auth) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFORE_REQUEST_HANDLERS dictionary in mlflow/server/auth/__init__.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions. This allows any authenticated user, regardless of their assigned permissions, to enumerate all gateway secrets, endpoints, and model definitions. This vulnerability exposes sensitive information, such as API keys, endpoint configurations, and proprietary model definitions, to unauthorized users.

AnalysisAI

Missing authorization enforcement in MLflow 3.9.0 allows any low-privileged authenticated user to enumerate all gateway secrets, endpoints, and model definitions via three unprotected Gateway API list endpoints. The root cause is an omission in the BEFORE_REQUEST_HANDLERS dictionary within mlflow/server/auth/__init__.py, which gates authorization for request handlers - three Gateway API list operations (ListGatewaySecretInfos, ListGatewayEndpoints, ListGatewayModelDefinitions) are absent from this registry, bypassing access control entirely when basic-auth is active. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the low attack complexity and high confidentiality impact warrant prompt remediation in any deployment with multi-tenant or least-privilege access expectations.

Technical ContextAI

MLflow is an open-source ML lifecycle platform; version 3.9.0 introduced Gateway API functionality for managing AI model endpoints and associated secrets. When deployed with the --app-name basic-auth flag, MLflow uses a request-interception pattern via a BEFORE_REQUEST_HANDLERS Python dictionary to enforce per-endpoint authorization. The affected code lives in mlflow/server/auth/__init__.py. CWE-284 (Improper Access Control) applies: the authorization mechanism exists and functions correctly for other routes, but three Gateway list handlers - ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions - were never registered in that dictionary, causing the auth middleware to skip enforcement silently. The CPE cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:* covers the MLflow Python package on PyPI; the wildcard version field indicates affected version scope has not been formally bounded beyond the 3.9.0 disclosure.

RemediationAI

No vendor-released patched version has been independently confirmed from the available data - the fix version is not specified in the NVD CPE, the huntr advisory, or any referenced vendor changelog. The structural fix requires adding entries for ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions to the BEFORE_REQUEST_HANDLERS dictionary in mlflow/server/auth/__init__.py, which MLflow maintainers should be implementing as part of the disclosed bounty remediation. Until a patched release is confirmed, operators should apply these compensating controls: (1) Restrict network access to the MLflow server to only trusted users or internal networks - placing it behind a VPN or firewall reduces exposure since AV:N requires reachability; (2) Disable or avoid use of the Gateway API feature if not operationally required, eliminating the exposed endpoints entirely; (3) Rotate any API keys or secrets currently stored in MLflow Gateway, as they should be treated as potentially compromised if untrusted authenticated users exist. Track the huntr advisory at https://huntr.com/bounties/e57db731-97d3-40c3-a429-831ee959807f and the MLflow GitHub repository for a confirmed patch release.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

Vendor StatusVendor

Share

CVE-2026-3198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy