CVE-2026-2652
8.6 HIGHA vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is st...
Published: 2026-05-15 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 8.6 HIGH
- Vector
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
- CWE
- CWE-305
Affected products
| Vendor | Product |
|---|---|
| lfprojects | mlflow |
Description
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-2652
- [Patch]https://github.com/mlflow/mlflow/commit/bb62e773263c14e9ba4d1a82fe72d0de2442c6aa
- [Exploit reference]https://huntr.com/bounties/5aeff5f0-49c7-4180-b5cb-c9a046f16756
- [Exploit reference]https://huntr.com/bounties/5aeff5f0-49c7-4180-b5cb-c9a046f16756
Related CVEs
Same vendor
- CVE-2026-10803 — A flaw has been found in MLflow up to 3.10.0 (3.6 LOW)
- CVE-2026-4035 — A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which... (7.7 HIGH)
- CVE-2026-3198 — MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints (6.5 MEDIUM)
- CVE-2026-2651 — A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifac... (9.0 CRITICAL)
- CVE-2026-2734 — In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack... (6.5 MEDIUM)
Same CWE
- CVE-2026-25555 — OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows un... (9.8 CRITICAL)
- CVE-2026-9798 — A flaw was found in Keycloak, an open-source identity and access management solution (4.3 MEDIUM)
- CVE-2026-41054 — In `src/havegecmd.c`, the `socket_handler` function performs a credential check on the abstract UNIX socket (`\0/sys/entropy/haveged`) (7.8 HIGH)
- CVE-2026-6334 — Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code red... (3.1 LOW)
- CVE-2026-3591 — A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0) (5.4 MEDIUM)