Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
5Blast Radius
ecosystem impact- 2 pypi packages depend on mlflow (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.8.1.
DescriptionNVD
In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NO_PERMISSIONS on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Deployments using mlflow server --app-name=basic-auth are affected.
AnalysisAI
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated user with no experiment permissions to read trace metadata and create unauthorized assessments. The vulnerability affects MLflow deployments running with the '--app-name=basic-auth' flag and carries a CVSS score of 8.1 (High) with network-based attack vector requiring low privilege authentication. This vulnerability was reported via the HackerOne bug bounty platform (@huntr_ai) with no public exploit identified at time of analysis.
Technical ContextAI
MLflow is an open-source platform for managing machine learning lifecycle, including experimentation, reproducibility, and deployment. The affected component is the basic-auth application module, which implements permission-based access controls for experiment resources. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where specific API endpoints for tracing functionality and assessment creation bypass the permission validation layer. The CPE identifier (cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*) indicates broad version impact across the MLflow product line. Tracing endpoints expose metadata about ML experiment execution flows, while assessment endpoints allow annotation and evaluation of traces, both of which should be protected by the role-based access control system when basic-auth is enabled.
RemediationAI
Consult the HuntrDev bounty disclosure at https://huntr.com/bounties/149fb2f9-ef4b-4136-a25c-20563451904c for vendor-released patch information and specific version guidance. As an interim mitigation, implement network-layer access controls to restrict access to MLflow tracing and assessment API endpoints (/api/2.0/mlflow/traces/* and related assessment paths) to only trusted administrator IP ranges. Consider disabling the basic-auth application if multi-tenant permission enforcement is not required, or implement reverse proxy authentication with explicit endpoint-level authorization rules that enforce experiment-level permissions before proxying requests to MLflow. Review audit logs for any unauthorized trace reads or assessment creation activity by users lacking experiment permissions to identify potential exploitation. Organizations should subscribe to MLflow security advisories and monitor the GitHub repository for security-related commits addressing this permission bypass.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209100
GHSA-g6pg-52vf-843h