Skip to main content

MLflow CVE-2026-4035

| EUVDEUVD-2026-34068 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-03 @huntr_ai GHSA-g35p-px32-whv6
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Red Hat
7.7 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

8
Analysis Updated
Jun 04, 2026 - 19:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 19:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 19:37 vuln.today
cvss_changed
Severity Changed
Jun 04, 2026 - 19:37 NVD
CRITICAL HIGH
CVSS changed
Jun 04, 2026 - 19:37 NVD
9.1 (CRITICAL) 7.7 (HIGH)
Patch available
Jun 03, 2026 - 10:00 EUVD
Source Code Evidence Fetched
Jun 03, 2026 - 09:14 vuln.today
Analysis Generated
Jun 03, 2026 - 09:14 vuln.today

DescriptionNVD

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the api_key field in gateway secrets can accept $ENV_VAR references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream api_base. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without basic-auth. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.

AnalysisAI

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive credentials from the MLflow AI Gateway by abusing the $ENV_VAR resolution feature in gateway secret configuration. By registering or modifying a gateway route where api_key references an environment variable like $AWS_SECRET_ACCESS_KEY and pointing api_base at an attacker-controlled endpoint, the resolved secret is transmitted in upstream provider authentication headers. Publicly available exploit code exists via the huntr.com bounty disclosure, though EPSS remains low at 0.28% (51st percentile) and the issue is not in CISA KEV.

Technical ContextAI

MLflow is an open-source MLOps platform whose AI Gateway component proxies requests to LLM providers using YAML-defined routes containing provider credentials. The vulnerable code path in mlflow/gateway/config.py function _resolve_api_key_from_input unconditionally interpreted any api_key value starting with $ as a reference to a server-side environment variable and substituted its value at runtime. This maps to CWE-201 (Insertion of Sensitive Information Into Sent Data): the resolved secret is then placed into Authorization headers sent to the configured api_base URL, allowing data to leave a trust boundary. CPE coverage is cpe:2.3:a:mlflow:mlflow:* with EUVD-2026-34068 cataloging all versions below 3.11.0.

RemediationAI

Vendor-released patch: MLflow 3.11.0 - upgrade immediately via pip install --upgrade mlflow>=3.11.0. The fix (commit 4a3f2f720cb4f058c9e0c5b883e0acc9ab64a7f3) gates $ENV_VAR resolution behind a new MLFLOW_GATEWAY_RESOLVE_API_KEY_FROM_ENV flag that defaults to False and is only auto-enabled for the legacy YAML-config gateway path, so after upgrading, do not set this flag to true on multi-tenant or internet-exposed deployments. As compensating controls until you can patch, audit existing gateway YAML configurations and replace any api_key: $VAR references with literal values or file-based secrets, enforce basic-auth on the MLflow server to remove unauthenticated access, restrict outbound egress from the MLflow host so it can only reach known provider api_base domains (blocks the exfiltration channel at the cost of breaking any new provider additions), and place the gateway behind an authenticating reverse proxy that controls who may create or modify routes. Patch URL: https://github.com/mlflow/mlflow/commit/4a3f2f720cb4f058c9e0c5b883e0acc9ab64a7f3.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

CVE-2025-15381 HIGH
7.1 Mar 27

MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated

Vendor StatusVendor

Share

CVE-2026-4035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy