CVE-2026-8147 in MLflow
Summary
by MITRE • 07/02/2026
In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/02/2026
The vulnerability in MLflow versions prior to 3.14.0 represents a critical authorization bypass flaw that undermines the security model of the platform when authentication is enabled. This issue stems from an incomplete implementation of access control mechanisms within the trace API endpoints, creating a pathway for authenticated users to circumvent experiment-level authorization controls. The flaw specifically affects the `_before_request` handler which fails to register proper authorization validators for trace operations, allowing malicious actors to perform unauthorized actions on traces associated with experiments they should not have access to. The vulnerability exists at the application logic level where security controls are not consistently applied across all API endpoints, creating a gap in the authorization framework that directly violates fundamental security principles.
The technical implementation of this vulnerability manifests through the improper registration of authorization validators within the request processing pipeline. When authentication is enabled, MLflow correctly authenticates users but fails to enforce proper authorization checks for trace operations specifically. The `_before_request` handler which should validate user permissions before allowing access to sensitive operations does not include trace endpoints in its validation scope. This creates a scenario where authenticated users can execute read, delete, and modify operations on traces regardless of their actual permissions for the underlying experiments. The flaw essentially allows privilege escalation within the context of trace operations, enabling users to access data they should not be permitted to view or manipulate. This represents a classic case of insufficient authorization validation where the system assumes that authentication is sufficient for access control, ignoring the need for proper authorization checks.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential audit trail manipulation and unauthorized system modifications. Attackers with authenticated access can read sensitive trace information from experiments they do not own, potentially exposing proprietary data, research findings, or confidential project details. The ability to delete traces undermines audit logging capabilities, making it impossible to track legitimate user activities or identify unauthorized access attempts. Additionally, modification operations allow attackers to alter trace data which could corrupt experiment results, manipulate performance metrics, or inject false information into the system. This vulnerability directly impacts the integrity and confidentiality of MLflow environments, particularly in enterprise settings where multiple users collaborate on sensitive projects and strict access controls are essential for compliance with security standards.
Mitigation strategies for this vulnerability require immediate attention through patching MLflow to version 3.14.0 or later where proper authorization validators have been implemented for trace endpoints. Organizations should review their current MLflow deployments to identify systems running vulnerable versions and ensure all instances are updated promptly. Security teams must also conduct thorough access control reviews to verify that all API endpoints properly enforce authorization checks, particularly focusing on the request handling pipeline and authentication middleware. The remediation process should include implementing comprehensive logging of trace operations to detect unauthorized access attempts and establishing monitoring procedures for suspicious activities. Additionally, organizations should consider implementing network-level controls and least-privilege access models to minimize the impact if users with legitimate access attempt unauthorized trace operations. This vulnerability highlights the importance of consistent security implementation across all application components and serves as a reminder that authentication alone is insufficient for comprehensive access control in multi-user environments.
This vulnerability aligns with CWE-639 which describes "Authorization Bypass Through User-Controlled Key" and represents a failure in proper access control enforcement. The flaw also maps to ATT&CK technique T1078 which covers valid accounts and privilege escalation through unauthorized access to system resources. The improper implementation of authorization controls in the request processing pipeline demonstrates a lack of defense-in-depth principles where security measures should be applied consistently across all application interfaces rather than relying on authentication as the sole security boundary. Organizations should treat this vulnerability as a high-priority security issue requiring immediate remediation and implement comprehensive security testing procedures to identify similar authorization bypass opportunities in other components of their MLflow deployments or similar platforms.