By vendor

Lfprojects vulnerabilities

Known CVEs affecting Lfprojects products, prioritized by severity, with SEC.co remediation and detection guidance.

3 published vulnerabilities

  • CVE-2026-4035HIGH 7.7

    MLflow, a popular open-source machine learning platform, contains a credential exposure vulnerability affecting versions before 3.11.0. The flaw allows attackers to extract sensitive server-side environment variables—such as AWS credentials—by manipulating how the AI Gateway handles secrets. An attacker with basic authentication access (or no authentication in default setups) can craft requests that trick MLflow into exposing these credentials to attacker-controlled endpoints. This is particularly dangerous because exposed cloud credentials could allow further compromise of artifact repositories and downstream systems.

  • CVE-2026-3198MEDIUM 6.5

    MLflow 3.9.0, when deployed with basic authentication enabled, contains an authorization bypass affecting several gateway API endpoints. The application fails to properly verify user permissions before allowing access to sensitive operations that list gateway secrets, endpoints, and model definitions. This means any user who has logged in—even with minimal privileges—can view all gateway configuration data, including API keys and proprietary model information that should be restricted. The vulnerability is confined to the basic-auth deployment mode and affects information disclosure rather than data modification or system availability.

  • CVE-2026-10803LOW 3.6

    MLflow versions up to 3.10.0 contain a cryptographic weakness in the Dataset Digest Computation module. The vulnerability uses an insufficiently strong hash function for dataset digest operations, which could allow an attacker with local system access and user-level privileges to tamper with dataset integrity checks or trigger application errors. Exploitation requires significant technical effort and local presence on the affected machine.