CVE-2026-4035: MLflow AI Gateway Environment Variable Credential Exposure
MLflow, a popular open-source machine learning platform, contains a credential exposure vulnerability affecting versions before 3.11.0. The flaw allows attackers to extract sensitive server-side environment variables—such as AWS credentials—by manipulating how the AI Gateway handles secrets. An attacker with basic authentication access (or no authentication in default setups) can craft requests that trick MLflow into exposing these credentials to attacker-controlled endpoints. This is particularly dangerous because exposed cloud credentials could allow further compromise of artifact repositories and downstream systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-201
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-30
NVD description (verbatim)
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient sanitization of the `api_key` field in MLflow AI Gateway secrets. The system resolves `$ENV_VAR` references at runtime against the MLflow server's environment and forwards the resolved values in HTTP Authorization headers to upstream API endpoints. An attacker can specify a malicious `api_base` URL and inject environment variable references into the `api_key` field, causing MLflow to send unintended credentials to the attacker-controlled destination. The root cause is CWE-201 (Exposure of Sensitive Information Through Output), allowing information disclosure through normal API operations. Authentication requirements vary by deployment configuration: basic-auth deployments require low-privilege credentials, while default deployments are exploitable without authentication.
Business impact
Exposure of cloud service credentials (AWS keys, Azure tokens, or equivalent) creates immediate risk of unauthorized access to artifact repositories, model storage, and training data. Attackers could poison models, inject malicious code, or pivot laterally into cloud environments. For organizations using MLflow to manage AI/ML workflows at scale, this could compromise the integrity of production models and breach data confidentiality across multiple teams. The blast radius extends beyond MLflow itself—compromised cloud credentials may grant access to other services within the same AWS account or cloud tenant.
Affected systems
MLflow versions prior to 3.11.0 are affected. This includes all 3.10.x, 3.9.x, and earlier releases. Organizations running MLflow as a central model registry or AI Gateway for teams should inventory their deployment versions immediately. The vulnerability affects both self-managed and containerized deployments. Users relying on MLflow for production AI/ML orchestration are at highest risk.
Exploitability
Exploitation requires network access to the MLflow API and is straightforward to execute. In default deployments without authentication enabled, any remote attacker can exploit this immediately. In basic-auth deployments, an attacker needs valid low-privilege credentials—potentially obtained through lateral movement, leaked tokens, or compromised contractor accounts. No special tools or advanced techniques are required; standard HTTP requests suffice. The vulnerability does not require user interaction or code execution on the target; it leverages the platform's normal request-handling flow.
Remediation
Upgrade MLflow to version 3.11.0 or later immediately. This is a high-priority patch that eliminates environment variable resolution in API key fields. Organizations should verify that the patched version is deployed across all MLflow servers and cluster nodes. After patching, rotate any cloud credentials that were exposed during the vulnerability window (prioritize AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if in use). Conduct a secrets audit and refresh authentication tokens for all connected services.
Patch guidance
MLflow 3.11.0 is the confirmed fixed version. Apply this patch to all MLflow instances in your environment. Test the upgrade in a staging environment first, particularly if you have custom gateway configurations. The patch addresses the root cause by preventing environment variable expansion in secret fields. After upgrade, verify your AI Gateway configurations remain functional and that no custom workarounds are relying on the vulnerable behavior. Check MLflow's release notes for any breaking changes or migration guidance.
Detection guidance
Monitor MLflow API audit logs for suspicious requests to the AI Gateway `/v1/config/gateway` or related endpoints, particularly any `POST` or `PUT` requests containing `$ENV_VAR` patterns in the `api_key` field. Look for outbound HTTP requests from MLflow servers to unexpected or external destinations, which may indicate credential exfiltration. If basic-auth is enabled, correlate such requests with low-privilege user accounts. Examine HTTP headers in upstream provider requests for unexpected Authorization header values. For organizations with comprehensive logging, search for environment variable names (AWS_ACCESS_KEY_ID, etc.) appearing in request payloads or headers sent to external hosts. Implement network segmentation to restrict MLflow server egress only to known, trusted provider endpoints.
Why prioritize this
This vulnerability should be patched within days, not weeks. The CVSS 7.7 (HIGH) score reflects high confidentiality impact with network accessibility and low complexity. The exploitability is straightforward, authentication barriers are weak or absent in many deployments, and the consequence—credential exposure—is severe. Unlike vulnerabilities requiring complex exploitation chains, this can be weaponized by moderately skilled attackers with minimal prerequisites. The cross-boundary impact (credentials leading to cloud account compromise) amplifies business risk.
Risk score, explained
The CVSS 3.1 score of 7.7 (HIGH) is driven by: (1) Network-accessible attack vector (AV:N), (2) low attack complexity requiring no special conditions (AC:L), (3) low privilege requirements (PR:L) with unauthenticated variants in default config, (4) high confidentiality impact from credential leakage (C:H), and (5) scope change (S:C) because compromised credentials can affect systems beyond MLflow. The score appropriately reflects the severity; however, in practice, actual risk is context-dependent on whether credentials exposed grant access to sensitive production systems and whether basic-auth or other controls are in place. Organizations running unpatched MLflow without network segmentation face elevated realized risk.
Frequently asked questions
Do we need to patch if we only use MLflow locally or in an air-gapped environment?
If MLflow is truly air-gapped (no network access to external providers and no remote users), the attack surface is reduced. However, if any upstream provider or external service is configured—even internally—or if there is any possibility of lateral movement from a compromised local system, patching is still prudent. Additionally, future configurations might enable external connectivity, so treating this as a must-patch is safer.
How can we quickly check if our MLflow deployment was exploited?
Review MLflow API audit logs for the time window between your deployment date and now, looking for requests to gateway configuration endpoints with `$ENV_VAR` patterns or to unexpected external hosts. Check your cloud provider's access logs (e.g., AWS CloudTrail) for unusual API calls using your exposed credentials. If basic-auth is enabled, cross-reference suspicious requests with user accounts. Immediate credential rotation is recommended if you cannot rule out exposure.
Does this affect MLflow users who don't use the AI Gateway feature?
If you do not use the AI Gateway and do not configure upstream provider secrets, your direct exposure is minimal. However, if your MLflow deployment has any gateway configuration at all—even if not actively used—the code path is present and could be exploited. Upgrade regardless to eliminate the vulnerability entirely.
What if we've already rotated our credentials? Can we delay the patch?
Credential rotation is a necessary remediation step, but it does not prevent future exploitation or attacks from actors who captured the credentials before rotation. Patching is essential to close the vulnerability itself. Combine credential rotation with immediate patching for defense-in-depth.
This analysis is provided for informational purposes and should not be considered formal security advice. Patch availability, CVSS scores, and CVE status are accurate as of the publication date but may change. Organizations should verify all patch versions against official vendor advisories and test patches in controlled environments before production deployment. This vulnerability description does not constitute an endorsement of any third-party security tools or services. Consult your security team and MLflow vendor documentation for deployment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42673HIGHLogtivity Activity Logs Information Disclosure (CVSS 7.5)
- CVE-2026-10101MEDIUMACM/MCE Pull-Secret Credential Exposure via InfraEnv Status
- CVE-2026-42539MEDIUMIRIS Information Disclosure Vulnerability (6.5 CVSS) – Patch to 2.4.28
- CVE-2026-10803LOWMLflow Weak Hash Vulnerability in Dataset Digest Computation
- CVE-2026-3198MEDIUMMLflow 3.9.0 Basic-Auth Authorization Bypass – Gateway API Enumeration
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10