Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Any authenticated user (PR:L) can remotely (AV:N/AC:L) read and alter other tenants' traces (C:H/I:H); no availability loss beyond deletion of data already covered by integrity, so A:N.
Primary rating from Vendor (huntr_ai).
CVSS VectorVendor: huntr_ai
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the _before_request handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.
AnalysisAI
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the _before_request authorization handler, so requests reach these endpoints without any validator running. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) MLflow running with authentication enabled - the built-in permission model must be active, otherwise there is nothing to bypass; and (2) the attacker holding a valid authenticated account of any privilege level (PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.0 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, score 8.1) describes a network-reachable, low-complexity attack requiring only low privileges (any valid authenticated account) with high confidentiality and integrity impact and no availability impact - consistent with a horizontal privilege-escalation / authorization-bypass against multi-tenant trace data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any valid low-privilege MLflow account on an authenticated, multi-tenant tracking server sends trace API requests referencing experiment IDs owned by other teams. Because no authorization validator runs for trace endpoints, the server returns or modifies those traces, letting the attacker exfiltrate sensitive prompt/inference data, tamper with results, or delete traces to destroy audit history. … |
| Remediation | Vendor-released patch: upgrade to MLflow 3.14.0 or later, which registers authorization validators for the trace API endpoints (fix commit f9b1eb510478570609ef451984a255775aa4b937). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and document all MLflow deployments and versions; enable comprehensive audit logging on trace API endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41257
GHSA-2cm6-r77w-6g96