Description
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.
Published: 2026-06-03
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in mlflow versions prior to 3.11.0 allows the resolution of environment variables in gateway secrets, enabling attackers to receive sensitive server‑side credentials through the MLflow server’s environment. The resolved values are transmitted in provider authentication headers to the configured upstream `api_base`, potentially exposing cloud artifact credentials such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The flaw can lead to artifact poisoning and cross‑boundary code execution in downstream environments.

Affected Systems

The affected product is mlflow mlflow; any installation running a version earlier than 3.11.0 is vulnerable. The issue occurs when the AI Gateway is configured to use gateway secrets that contain `$ENV_VAR` references, and the MLflow server is running with the capability to resolve those variables.

Risk and Exploitability

The CVSS score is 9.1, indicating a high severity level. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw as low‑privileged authenticated users in basic‑auth deployments or even unauthenticated users in default deployments that do not use basic‑auth. Given the high impact and the ability for attackers to exfiltrate credentials to an attacker‑controlled endpoint, the risk is significant and the likelihood of exploitation is high for exposed systems.

Generated by OpenCVE AI on June 3, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to mlflow version 3.11.0 or later
  • Restrict gateway secret creation to privileged users
  • Audit existing gateway secret configurations for environment variable usage

Generated by OpenCVE AI on June 3, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.
Title Environment Variable Resolution Vulnerability in mlflow/mlflow
Weaknesses CWE-201
References
Metrics cvssV3_0

{'score': 9.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-06-03T13:10:24.407Z

Reserved: 2026-03-12T02:17:42.523Z

Link: CVE-2026-4035

cve-icon Vulnrichment

Updated: 2026-06-03T13:09:52.628Z

cve-icon NVD

Status : Received

Published: 2026-06-03T09:16:13.083

Modified: 2026-06-03T14:16:45.847

Link: CVE-2026-4035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T13:30:26Z

Weaknesses