Description
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.
Published: 2026-05-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A FastAPI authentication bypass allows unauthenticated users to reach routes that are meant to be protected, such as the Job API and the OpenTelemetry trace ingestion API. Because the permission middleware only applies to /gateway/ paths, attackers can submit jobs, view job results, cancel jobs, or inject trace data without providing credentials. This flaw constitutes an authentication weakness (CWE‑305) that can expose sensitive job information and potentially be used to insert arbitrary observability data into experiments.

Affected Systems

The vulnerability is present in mlflow 3.9.0 and all earlier releases of the mlflow/mlflow package. The issue was addressed in version 3.10.0; upgrading to that version or later removes the unprotected routes. Applications running older releases with the --app-name basic-auth flag and served via uvicorn are impacted.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity risk. No EPSS data is available at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending HTTP requests to the exposed FastAPI routes such as /ajax-api/3.0/jobs/* and /v1/traces when the mlflow server is configured with authentication enabled and served by uvicorn. The lack of authentication on these endpoints allows unrestricted access from any network source that can reach the server.

Generated by OpenCVE AI on May 15, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the mlflow package to version 3.10.0 or later, which removes the unprotected routes and enforces authentication on all endpoints.
  • Verify that the mlflow server is not started with the --app-name basic-auth flag unless all API routes are properly secured, and ensure uvicorn is configured to respect the authentication middleware.
  • Review and restrict access to the Job API and OpenTelemetry trace ingestion API, applying additional access controls or network segmentation as needed to limit exposure.

Generated by OpenCVE AI on May 15, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Fri, 15 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.
Title Authentication Bypass in mlflow/mlflow
Weaknesses CWE-305
References
Metrics cvssV3_0

{'score': 8.6, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-05-15T13:22:21.060Z

Reserved: 2026-02-18T02:53:33.607Z

Link: CVE-2026-2652

cve-icon Vulnrichment

Updated: 2026-05-15T13:22:08.836Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-15T03:16:23.127

Modified: 2026-05-15T14:56:18.253

Link: CVE-2026-2652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T04:45:36Z

Weaknesses