CVE-2026-3198 in MLflowالمعلومات

الملخص

بحسب MITRE • 02/06/2026

MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entries for `ListGatewaySecretInfos`, `ListGatewayEndpoints`, and `ListGatewayModelDefinitions`. This allows any authenticated user, regardless of their assigned permissions, to enumerate all gateway secrets, endpoints, and model definitions. This vulnerability exposes sensitive information, such as API keys, endpoint configurations, and proprietary model definitions, to unauthorized users.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

@huntr Ai

حجز

25/02/2026

إفشاء

02/06/2026

الاعتدال

تمت الموافقة

إدخال

VDB-367794

CPE

جاهز

CWE

CWE-284 (مؤكد)

CVSS

6.5 (CNA)

EPSS

0.00025

KEV

لا

النشاطات

منخفض

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-3198
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-3198
CVE Details	https://www.cvedetails.com/cve/CVE-2026-3198/

التالي ▸نظرة عامة ◂ السابق

Do you need the next level of professionalism?

Upgrade your account now!