Description
In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of `SearchModelVersions` in the `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS` for the REST API, and its omission from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS` for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0.
Published: 2026-05-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In mlflow versions up to 3.9.0 the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack per-model authorization checks when basic authentication is enabled. This omission allows any authenticated user to enumerate all model versions and metadata—including names, version descriptions, source URIs, tags, and other properties—across all registered models. The weakness is a combination of CWE-284 Authorization Bypass and CWE-639 Authorization Bypass.

Affected Systems

The affected product is the mlflow project (mlflow:mlflow/mlflow). All releases up to and including 3.9.0 are vulnerable; the issue was fixed in version 3.10.0 and later.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed active exploitation yet. The likely attack vector involves an authenticated remote user exploiting the web service; such a user can retrieve sensitive metadata across all models, potentially exposing proprietary or confidential information in a multi-tenant environment.

Generated by OpenCVE AI on May 21, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to mlflow 3.10.0 or newer, which contains the fix for the missing authorization checks.
  • If an immediate upgrade is not feasible, disable basic authentication for the API or restrict the SearchModelVersions endpoint so that only privileged users can invoke it.
  • For custom deployments, implement additional per-model role checks to enforce authorization on the SearchModelVersions operation.

Generated by OpenCVE AI on May 21, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 21 May 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Thu, 21 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of `SearchModelVersions` in the `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS` for the REST API, and its omission from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS` for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0.
Title Authorization Bypass in SearchModelVersions in mlflow/mlflow
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-05-21T12:40:09.114Z

Reserved: 2026-02-19T07:17:33.358Z

Link: CVE-2026-2734

cve-icon Vulnrichment

Updated: 2026-05-21T12:39:59.710Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-21T05:16:22.723

Modified: 2026-05-21T16:08:27.133

Link: CVE-2026-2734

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-21T03:49:38Z

Links: CVE-2026-2734 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T13:30:11Z

Weaknesses