Description
In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of `SearchModelVersions` in the `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS` for the REST API, and its omission from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS` for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0.
Published: 2026-05-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In mlflow versions up to 3.9.0 the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack per-model authorization checks when basic authentication is enabled. This omission allows any authenticated user to enumerate all model versions and metadata—including names, version descriptions, source URIs, tags, and other properties—across all registered models. The weakness is a combination of CWE-284 Authorization Bypass and CWE-639 Authorization Bypass.

Affected Systems

The affected product is the mlflow project (mlflow:mlflow/mlflow). releases up to and including 3.9.0 are vulnerable; the issue was fixed in version 3.10.0 and later.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of < 1% shows a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation. The likely attack vector involves an authenticated remote user exploiting the web service; such a user can retrieve sensitive metadata across all models, potentially exposing proprietary or confidential information in a multi-tenant environment.

Generated by OpenCVE AI on June 2, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to mlflow 3.10.0 or newer, which contains the fix for the missing authorization checks.
  • If an immediate upgrade is not feasible, disable basic authentication for the API or restrict the SearchModelVersions endpoint so that only privileged users can invoke it.
  • For custom deployments, implement additional per-model role checks to enforce authorization on the SearchModelVersions operation.

Generated by OpenCVE AI on June 2, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w5xq-c4pf-ghq7 MLflow authenticated users can enumerate any registered model versions due to lack of per-model permissions checks
History

Tue, 02 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 21 May 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Thu, 21 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of `SearchModelVersions` in the `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS` for the REST API, and its omission from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS` for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0.
Title Authorization Bypass in SearchModelVersions in mlflow/mlflow
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-05-21T12:40:09.114Z

Reserved: 2026-02-19T07:17:33.358Z

Link: CVE-2026-2734

cve-icon Vulnrichment

Updated: 2026-05-21T12:39:59.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-21T05:16:22.723

Modified: 2026-06-02T01:19:07.163

Link: CVE-2026-2734

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-21T03:49:38Z

Links: CVE-2026-2734 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T03:00:13Z

Weaknesses