CVE-2026-13484 in MLflow
Summary
by MITRE • 06/28/2026
A vulnerability has been found in MLflow up to 4666cffc7912ea606d592fc38d6a75e2935f65e7. The impacted element is an unknown function of the component Experiment-scoped Label Schema CRUD API. Such manipulation leads to missing authorization. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. A reply to the GitHub issue explains, that "[t]he labeling schema PR has not been merged yet. The auth handlers will be added before the release."
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/28/2026
The vulnerability identified in MLflow represents a critical authorization flaw within the experiment-scoped label schema CRUD API component. This issue affects versions up to commit 4666cffc7912ea606d592fc38d6a75e2935f65e7 and demonstrates a fundamental failure in access control mechanisms that could allow unauthorized users to manipulate label schemas associated with machine learning experiments. The vulnerability specifically targets an unknown function within this API, indicating that the precise implementation details of the affected code path remain unclear, which complicates both exploitation and remediation efforts.
The technical nature of this flaw stems from insufficient authorization checks during CRUD operations on experiment-scoped labels, creating a pathway for unauthorized access to sensitive experimental metadata. This authorization bypass represents a direct violation of the principle of least privilege, where users who should not have administrative capabilities over label schemas can potentially modify, create, or delete these configurations. The vulnerability's remote exploitability means that attackers do not require physical access to the system and can leverage network-based attacks to gain unauthorized access to label schema operations.
The operational impact of this vulnerability extends beyond simple data integrity concerns as it could enable attackers to manipulate experimental metadata, potentially affecting model training processes, experiment tracking, and overall ML pipeline governance. Given that MLflow is widely used in machine learning workflows, the exploitation of this authorization flaw could lead to data tampering, unauthorized access to experimental results, or even potential injection of malicious labels that might influence downstream ML model decisions. The high complexity level associated with this attack suggests that while the vulnerability exists, successful exploitation requires significant technical expertise and resources, making it less likely to be exploited by casual attackers but still a serious concern for organizations using MLflow in production environments.
The security implications align with CWE-284, which addresses improper access control vulnerabilities in software systems. This classification specifically addresses situations where applications fail to properly enforce authorization checks, allowing unauthorized users to perform privileged operations. The vulnerability also maps to ATT&CK technique T1078.004, which covers valid accounts and legitimate credentials for persistence and privilege escalation within systems. The fact that the exploit has been disclosed publicly and may be used indicates that threat actors have already identified this weakness, making it a pressing concern for MLflow users who have not yet patched their installations. The response from the development team acknowledging that authorization handlers will be added before release suggests that this vulnerability was recognized as a critical security gap during the development cycle, though the timeline for remediation remains uncertain.
Organizations using affected versions of MLflow should implement immediate mitigations including network segmentation to limit access to MLflow endpoints, implementing additional authentication layers, and monitoring for unauthorized access attempts to label schema operations. The remediation strategy should focus on ensuring that all CRUD operations within the experiment-scoped label schema API enforce proper authorization checks and validate user permissions before allowing any modifications to label configurations. Regular security audits of MLflow installations and prompt application of security patches are essential to prevent exploitation of this vulnerability, which could have significant implications for machine learning workflow integrity and data governance practices across organizations relying on MLflow for their ML operations.