CVE-2026-3198 in MLflowinfo

Zusammenfassung

von MITRE • 02.06.2026

MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entries for `ListGatewaySecretInfos`, `ListGatewayEndpoints`, and `ListGatewayModelDefinitions`. This allows any authenticated user, regardless of their assigned permissions, to enumerate all gateway secrets, endpoints, and model definitions. This vulnerability exposes sensitive information, such as API keys, endpoint configurations, and proprietary model definitions, to unauthorized users.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

@huntr Ai

Reservieren

25.02.2026

Veröffentlichung

02.06.2026

Moderieren

akzeptiert

Eintrag

VDB-367794

CPE

bereit

CWE

CWE-284 (bestätigt)

CVSS

6.5 (CNA)

EPSS

0.00025

KEV

nein

Aktivitäten

low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-3198
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-3198
CVE Details	https://www.cvedetails.com/cve/CVE-2026-3198/

◂ Zurück Übersicht Weiter ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!