Description
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.
Published: 2026-06-03
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in mlflow versions prior to 3.11.0 allows the resolution of environment variables in gateway secrets, enabling attackers to receive sensitive server‑side credentials through the MLflow server’s environment. The resolved values are transmitted in provider authentication headers to the configured upstream api_base, potentially exposing cloud artifact credentials such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The flaw can lead to artifact poisoning and cross‑boundary code execution in downstream environments. The flaw is identified as CWE‑201, where credentials are exposed through improper authentication mechanisms.

Affected Systems

The affected product is mlflow mlflow; any installation running a version earlier than 3.11.0 is vulnerable. The issue occurs when the AI Gateway is configured to use gateway secrets that contain $ENV_VAR references, and the MLflow server is running with the capability to resolve those variables.

Risk and Exploitability

The CVSS score is 7.7, indicating a high severity level. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw as low‑privileged authenticated users in basic‑auth deployments or even unauthenticated users in default deployments that do not use basic‑auth. Given the high impact and the ability for attackers to exfiltrate credentials to an attacker‑controlled endpoint, the risk is significant but the likelihood of exploitation is low to moderate for exposed systems.

Generated by OpenCVE AI on June 4, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to mlflow version 3.11.0 or later
  • Restrict gateway secret creation to privileged users, ensuring no environment variable references are allowed (mitigates CWE‑201)
  • Audit existing gateway secret configurations for environment variable usage, and remove or sanitize any that expose credentials (CWE‑201)

Generated by OpenCVE AI on June 4, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.
Title Environment Variable Resolution Vulnerability in mlflow/mlflow
Weaknesses CWE-201
References
Metrics cvssV3_0

{'score': 9.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-06-03T13:10:24.407Z

Reserved: 2026-03-12T02:17:42.523Z

Link: CVE-2026-4035

cve-icon Vulnrichment

Updated: 2026-06-03T13:09:52.628Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T09:16:13.083

Modified: 2026-06-04T19:35:39.613

Link: CVE-2026-4035

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-03T07:18:08Z

Links: CVE-2026-4035 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T21:00:15Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data