Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
8DescriptionNVD
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the api_key field in gateway secrets can accept $ENV_VAR references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream api_base. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without basic-auth. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.
AnalysisAI
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive credentials from the MLflow AI Gateway by abusing the $ENV_VAR resolution feature in gateway secret configuration. By registering or modifying a gateway route where api_key references an environment variable like $AWS_SECRET_ACCESS_KEY and pointing api_base at an attacker-controlled endpoint, the resolved secret is transmitted in upstream provider authentication headers. Publicly available exploit code exists via the huntr.com bounty disclosure, though EPSS remains low at 0.28% (51st percentile) and the issue is not in CISA KEV.
Technical ContextAI
MLflow is an open-source MLOps platform whose AI Gateway component proxies requests to LLM providers using YAML-defined routes containing provider credentials. The vulnerable code path in mlflow/gateway/config.py function _resolve_api_key_from_input unconditionally interpreted any api_key value starting with $ as a reference to a server-side environment variable and substituted its value at runtime. This maps to CWE-201 (Insertion of Sensitive Information Into Sent Data): the resolved secret is then placed into Authorization headers sent to the configured api_base URL, allowing data to leave a trust boundary. CPE coverage is cpe:2.3:a:mlflow:mlflow:* with EUVD-2026-34068 cataloging all versions below 3.11.0.
RemediationAI
Vendor-released patch: MLflow 3.11.0 - upgrade immediately via pip install --upgrade mlflow>=3.11.0. The fix (commit 4a3f2f720cb4f058c9e0c5b883e0acc9ab64a7f3) gates $ENV_VAR resolution behind a new MLFLOW_GATEWAY_RESOLVE_API_KEY_FROM_ENV flag that defaults to False and is only auto-enabled for the legacy YAML-config gateway path, so after upgrading, do not set this flag to true on multi-tenant or internet-exposed deployments. As compensating controls until you can patch, audit existing gateway YAML configurations and replace any api_key: $VAR references with literal values or file-based secrets, enforce basic-auth on the MLflow server to remove unauthenticated access, restrict outbound egress from the MLflow host so it can only reach known provider api_base domains (blocks the exfiltration channel at the cost of breaking any new provider additions), and place the gateway behind an authenticating reverse proxy that controls who may create or modify routes. Patch URL: https://github.com/mlflow/mlflow/commit/4a3f2f720cb4f058c9e0c5b883e0acc9ab64a7f3.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34068
GHSA-g35p-px32-whv6