Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
MLflow 3.9.0 with basic-auth (--app-name basic-auth) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFORE_REQUEST_HANDLERS dictionary in mlflow/server/auth/__init__.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions. This allows any authenticated user, regardless of their assigned permissions, to enumerate all gateway secrets, endpoints, and model definitions. This vulnerability exposes sensitive information, such as API keys, endpoint configurations, and proprietary model definitions, to unauthorized users.
AnalysisAI
Missing authorization enforcement in MLflow 3.9.0 allows any low-privileged authenticated user to enumerate all gateway secrets, endpoints, and model definitions via three unprotected Gateway API list endpoints. The root cause is an omission in the BEFORE_REQUEST_HANDLERS dictionary within mlflow/server/auth/__init__.py, which gates authorization for request handlers - three Gateway API list operations (ListGatewaySecretInfos, ListGatewayEndpoints, ListGatewayModelDefinitions) are absent from this registry, bypassing access control entirely when basic-auth is active. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the low attack complexity and high confidentiality impact warrant prompt remediation in any deployment with multi-tenant or least-privilege access expectations.
Technical ContextAI
MLflow is an open-source ML lifecycle platform; version 3.9.0 introduced Gateway API functionality for managing AI model endpoints and associated secrets. When deployed with the --app-name basic-auth flag, MLflow uses a request-interception pattern via a BEFORE_REQUEST_HANDLERS Python dictionary to enforce per-endpoint authorization. The affected code lives in mlflow/server/auth/__init__.py. CWE-284 (Improper Access Control) applies: the authorization mechanism exists and functions correctly for other routes, but three Gateway list handlers - ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions - were never registered in that dictionary, causing the auth middleware to skip enforcement silently. The CPE cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:* covers the MLflow Python package on PyPI; the wildcard version field indicates affected version scope has not been formally bounded beyond the 3.9.0 disclosure.
RemediationAI
No vendor-released patched version has been independently confirmed from the available data - the fix version is not specified in the NVD CPE, the huntr advisory, or any referenced vendor changelog. The structural fix requires adding entries for ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions to the BEFORE_REQUEST_HANDLERS dictionary in mlflow/server/auth/__init__.py, which MLflow maintainers should be implementing as part of the disclosed bounty remediation. Until a patched release is confirmed, operators should apply these compensating controls: (1) Restrict network access to the MLflow server to only trusted users or internal networks - placing it behind a VPN or firewall reduces exposure since AV:N requires reachability; (2) Disable or avoid use of the Gateway API feature if not operationally required, eliminating the exposed endpoints entirely; (3) Rotate any API keys or secrets currently stored in MLflow Gateway, as they should be treated as potentially compromised if untrusted authenticated users exist. Track the huntr advisory at https://huntr.com/bounties/e57db731-97d3-40c3-a429-831ee959807f and the MLflow GitHub repository for a confirmed patch release.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33880
GHSA-r5m9-wm49-959f