CVE-2026-3198: MLflow 3.9.0 Basic-Auth Authorization Bypass – Gateway API Enumeration
MLflow 3.9.0, when deployed with basic authentication enabled, contains an authorization bypass affecting several gateway API endpoints. The application fails to properly verify user permissions before allowing access to sensitive operations that list gateway secrets, endpoints, and model definitions. This means any user who has logged in—even with minimal privileges—can view all gateway configuration data, including API keys and proprietary model information that should be restricted. The vulnerability is confined to the basic-auth deployment mode and affects information disclosure rather than data modification or system availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.0 · 6.5 MEDIUM · CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entries for `ListGatewaySecretInfos`, `ListGatewayEndpoints`, and `ListGatewayModelDefinitions`. This allows any authenticated user, regardless of their assigned permissions, to enumerate all gateway secrets, endpoints, and model definitions. This vulnerability exposes sensitive information, such as API keys, endpoint configurations, and proprietary model definitions, to unauthorized users.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
MLflow 3.9.0's basic-auth handler omits authorization enforcement for three Gateway API 'list' operations: ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions. The root cause is missing entries in the `BEFORE_REQUEST_HANDLERS` dictionary within `mlflow/server/auth/__init__.py`. This dictionary is responsible for registering authorization checks that run before request processing. Because these three endpoints lack handler registration, the application skips permission validation and returns full enumeration data to any authenticated principal, regardless of role or assigned scopes. The vulnerability allows horizontal privilege escalation where low-privileged authenticated users gain visibility into resources they should not access.
Business impact
Exposure of gateway secrets and API credentials poses a significant operational risk. Attackers with low-level MLflow access can exfiltrate authentication material and endpoint configurations, enabling lateral movement, unauthorized API calls to downstream services, or credential reuse in supply-chain attacks. Proprietary model definitions and endpoint topologies may also be compromised, leading to competitive intelligence loss. Organizations relying on MLflow's basic-auth for multi-tenant or role-based access control should assume that privilege boundaries have been partially compromised; attackers can map the full MLflow infrastructure and identify high-value targets for further exploitation.
Affected systems
MLflow version 3.9.0 with the `--app-name basic-auth` deployment configuration is affected. Organizations using MLflow in default or alternative authentication modes (LDAP, OIDC, or no authentication) should verify their specific deployment. The vulnerability is specific to the basic-auth handler implementation and does not affect MLflow deployments without authentication or those using other authentication backends. Verify your MLflow version and authentication configuration by checking the deployment startup parameters and the server version endpoint.
Exploitability
Exploitation requires valid authentication credentials—an attacker must already have a user account and be able to log into the MLflow instance. Once authenticated, no additional interaction or technical sophistication is needed; the attacker simply calls the affected list endpoints via the MLflow API. The barrier to exploitation is low from a technical perspective (standard HTTP requests), but access prerequisites limit the attack surface to internal users or attackers who have obtained valid credentials. The CVSS vector reflects this: network-accessible but requiring prior authentication (PR:L).
Remediation
Update MLflow to a patched version that includes authorization handler registration for the three affected endpoints. Verify the exact patched version in the upstream MLflow security advisory or release notes. Until a patch is available, mitigate by restricting MLflow API access via network controls (firewall rules, VPC isolation) or reverse-proxy authentication layers, and audit which users have been granted MLflow accounts. Additionally, rotate all gateway secrets and API keys that may have been exposed, and review logs for suspicious enumeration activity on the affected endpoints.
Patch guidance
Consult the official MLflow release notes and security advisories for the specific patched version addressing CVE-2026-3198. Apply the update to all MLflow instances running version 3.9.0 with basic-auth enabled. Test the patch in a non-production environment first to confirm authorization checks are now enforced for ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions. After deployment, verify that low-privileged users can no longer enumerate sensitive gateway resources.
Detection guidance
Monitor MLflow API audit logs for repeated or anomalous calls to `/api/2.0/gateway/list-secrets`, `/api/2.0/gateway/list-endpoints`, and `/api/2.0/gateway/list-models` (or equivalent endpoints depending on MLflow version). Correlate these calls with user identity and role; any low-privileged account making these requests may indicate exploitation. Configure alerts if a single user account performs a high volume of list operations within a short timeframe. Additionally, check MLflow server logs for missing BEFORE_REQUEST_HANDLERS registrations in the auth initialization output.
Why prioritize this
This vulnerability merits near-term patching despite a MEDIUM CVSS score because it directly undermines the access control model in MLflow deployments. In environments where MLflow manages credentials for downstream ML services or data pipelines, unauthorized secret enumeration creates a direct path to credential compromise. The requirement for prior authentication limits blast radius but does not eliminate risk—internal threats, compromised service accounts, and credential-stuffing attacks all become viable. Organizations should prioritize this patch if they use MLflow's basic-auth with multi-user or multi-tenant configurations.
Risk score, explained
CVSS 6.5 (MEDIUM) reflects high confidentiality impact (C:H)—sensitive secrets and configurations are disclosed—but no integrity or availability impact. The score accounts for the authentication prerequisite (PR:L), which reduces the overall severity. However, the practical risk depends on what secrets are stored in the gateway and whether MLflow is exposed to untrusted internal networks. Organizations with strict network segmentation and minimal multi-user MLflow deployments face lower risk; those with shared MLflow instances and downstream service credentials stored in the gateway face elevated risk.
Frequently asked questions
Does this vulnerability affect MLflow deployments without basic-auth enabled?
No. The vulnerability is specific to MLflow instances deployed with the `--app-name basic-auth` configuration. Deployments using alternative authentication methods (LDAP, OIDC) or no authentication at all are not affected by this particular authorization bypass. However, verify your deployment configuration to confirm which authentication backend is in use.
Can an attacker exploit this without already having MLflow credentials?
No. The vulnerability requires prior authentication. An attacker must first obtain valid MLflow user credentials to log in. Once authenticated, they can enumerate gateway resources without additional authorization checks. This makes the vulnerability primarily a risk for insider threats or scenarios where credentials have been compromised through other means.
What is the difference between this vulnerability and a general privilege escalation?
This is a horizontal escalation rather than a vertical one. An authenticated user cannot elevate their own permissions or become an admin; instead, they gain unauthorized read access to resources that their assigned role should restrict. In role-based access control, a junior analyst should not see production API keys, but this vulnerability allows them to enumerate and view those keys alongside senior users.
Should we rotate all our gateway secrets immediately, or can we wait for a patch?
If your MLflow instance runs 3.9.0 with basic-auth and has multiple user accounts, assume that gateway secrets may have been enumerated. Audit access logs to identify suspicious activity, and prioritize rotating secrets that are most critical or have been in the system longest. Apply the patch as soon as it is available, but do not delay secret rotation pending the patch if you operate a multi-user instance.
This analysis is based on the CVE record as of the publication date and represents the current understanding of the vulnerability. Security research, threat intelligence, and vendor advisories may evolve. Organizations should consult official MLflow security bulletins and release notes for authoritative patch information and version numbers. This document does not constitute legal or compliance advice. Always validate patch applicability and test in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler