| Titel | MLflow Unreleased development code in pull request #23607, commit 4666cffc7912ea606d592fc38d6a75e2935f65e7. No released MLflow version CWE-862 Missing Authorization |
|---|
| Beschreibung | A vulnerability was found in MLflow development code introduced by pull request #23607 and classified as High severity. Affected are the new experiment-scoped label schema REST endpoints under /api/3.0/mlflow/label-schemas/* and /ajax-api/3.0/mlflow/label-schemas/*. The manipulation of the experiment_id or schema_id arguments leads to missing authorization checks. It is possible to launch the attack remotely against an MLflow server using the basic-auth application.
Authentication required: yes, any valid non-admin authenticated user. User interaction required: no.
Technical Details
- Affected file/function: mlflow/server/auth/__init__.py, BEFORE_REQUEST_HANDLERS and _find_validator
- Affected handlers: mlflow/server/handlers.py, _create_label_schema, _get_label_schema, _get_label_schema_by_name, _list_label_schemas, _update_label_schema, _upsert_label_schema, _delete_label_schema
- Vulnerable parameter: experiment_id and schema_id
- Attack vector: Network
- Privileges required: Low
- Trigger condition: MLflow is served with the basic-auth app and the PR #23607 label schema endpoints are available. The label schema protobuf request classes are not registered in BEFORE_REQUEST_HANDLERS, so _find_validator returns None and _before_request performs authentication without experiment-level RBAC authorization.
Impact
- Confidentiality: Low
- Integrity: High
- Availability: Low
An authenticated user without permission on an experiment can list or read label schema definitions and can create, update, upsert, or delete schemas for experiments they should not control. This can disclose evaluation policy metadata and corrupt GenAI labeling or evaluation workflows by changing feedback or expectation schemas.
CVSS v3.1
Score: 7.6 (High)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Timeline
- Discovered: 2026-05-26
- Vendor notified: [unknown]
- Patch released: [unknown]
- Public disclosure: [unknown]
Countermeasure
Register the label schema protobuf request classes in mlflow/server/auth/__init__.py::BEFORE_REQUEST_HANDLERS. Enforce UPDATE permission for create/upsert/update/delete, READ permission for get/list, and resolve schema_id-only requests to the owning experiment before applying authorization. Add regression tests that assert authenticated users without experiment permission receive HTTP 403 on every label schema endpoint. |
|---|
| Quelle | ⚠️ https://github.com/mlflow/mlflow/issues/23608 |
|---|
| Benutzer | Dem00 (UID 84913) |
|---|
| Einreichung | 26.05.2026 18:42 (vor 1 Monat) |
|---|
| Moderieren | 27.06.2026 17:45 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 374481 [MLflow bis 4666cffc7912ea606d592fc38d6a75e2935f65e7 Experiment-scoped Label Schema CRUD API erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|