Description
MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entries for `ListGatewaySecretInfos`, `ListGatewayEndpoints`, and `ListGatewayModelDefinitions`. This allows any authenticated user, regardless of their assigned permissions, to enumerate all gateway secrets, endpoints, and model definitions. This vulnerability exposes sensitive information, such as API keys, endpoint configurations, and proprietary model definitions, to unauthorized users.
Published: 2026-06-02
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in MLflow 3.9.0’s authentication handling; missing request‑handler entries for ListGatewaySecretInfos, ListGatewayEndpoints and ListGatewayModelDefinitions allow any authenticated user to retrieve all gateway secrets, endpoints and model definitions. This results in disclosure of sensitive information such as API keys, endpoint configurations and proprietary model definitions that may contain confidential or proprietary data. The flaw is an improper access control weakness that permits broader data exposure than intended.

Affected Systems

This issue applies to the open‑source MLflow project, specifically version 3.9.0 when running with the Basic Auth application mode (--app-name basic-auth). No other releases are listed as affected, so the risk scope is limited to that particular build with the insecure authentication configuration.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as medium severity. The EPSS score is < 1%, and KEV is not listed in the CISA catalog, indicating no documented exploitation. The required attack vector is an authenticated session; any user with valid credentials—regardless of role—can enumerate gateway data. While the flaw does not grant code execution, the leakage of secrets and configuration information poses a substantial confidentiality risk and could be leveraged in subsequent attacks.

Generated by OpenCVE AI on June 8, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MLflow to a version that includes proper authorization checks for the affected endpoints.
  • If an upgrade cannot occur immediately, restrict Basic Auth usage or enforce stricter role permissions so that only administrators can call the vulnerable list endpoints, and consider disabling the affected endpoints entirely.
  • Continuously monitor API logs for unexpected enumeration activity and audit user roles to confirm that only privileged accounts have access to sensitive gateway information.

Generated by OpenCVE AI on June 8, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-425
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Wed, 03 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:3.9.0:-:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Tue, 02 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entries for `ListGatewaySecretInfos`, `ListGatewayEndpoints`, and `ListGatewayModelDefinitions`. This allows any authenticated user, regardless of their assigned permissions, to enumerate all gateway secrets, endpoints, and model definitions. This vulnerability exposes sensitive information, such as API keys, endpoint configurations, and proprietary model definitions, to unauthorized users.
Title Improper Access Control in mlflow/mlflow
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-06-02T13:32:42.643Z

Reserved: 2026-02-25T12:41:24.059Z

Link: CVE-2026-3198

cve-icon Vulnrichment

Updated: 2026-06-02T13:32:37.371Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-02T04:17:03.397

Modified: 2026-06-03T17:07:05.750

Link: CVE-2026-3198

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T02:50:47Z

Links: CVE-2026-3198 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T14:00:20Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-425

    Direct Request ('Forced Browsing')