CVE-2026-4035
7.7 HIGHA vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which...
Published: 2026-06-03 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 7.7 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- CWE
- CWE-201
Affected products
| Vendor | Product |
|---|---|
| lfprojects | mlflow |
Description
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-4035
- [Patch]https://github.com/mlflow/mlflow/commit/4a3f2f720cb4f058c9e0c5b883e0acc9ab64a7f3
- [Exploit reference]https://huntr.com/bounties/f8e591a0-0f19-4910-b82e-16c9956f2233
- [Exploit reference]https://huntr.com/bounties/f8e591a0-0f19-4910-b82e-16c9956f2233
Related CVEs
Same vendor
- CVE-2026-10803 — A flaw has been found in MLflow up to 3.10.0 (3.6 LOW)
- CVE-2026-3198 — MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints (6.5 MEDIUM)
- CVE-2026-2651 — A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifac... (9.0 CRITICAL)
- CVE-2026-2734 — In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack... (6.5 MEDIUM)
- CVE-2026-4137 — In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary d... (7.8 HIGH)
Same CWE
- CVE-2026-46481 — OpenMetadata is a unified metadata platform (8.3 HIGH)
- CVE-2026-42539 — IRIS is a web collaborative platform that helps incident responders share technical details during investigations (6.5 MEDIUM)
- CVE-2026-45739 — Strawberry GraphQL is a library for creating GraphQL APIs (3.1 LOW)
- CVE-2026-44653 — LibreChat is an enhanced ChatGPT clone that supports multiple AI providers (6.5 MEDIUM)
- CVE-2026-35447 — NamelessMC is website software for Minecraft servers