CVE-2026-3198 in MLflowinformation

Résumé

par MITRE • 02/06/2026

MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entries for `ListGatewaySecretInfos`, `ListGatewayEndpoints`, and `ListGatewayModelDefinitions`. This allows any authenticated user, regardless of their assigned permissions, to enumerate all gateway secrets, endpoints, and model definitions. This vulnerability exposes sensitive information, such as API keys, endpoint configurations, and proprietary model definitions, to unauthorized users.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

@huntr Ai

Réserver

25/02/2026

Divulgation

02/06/2026

Modérer

accepté

Entrée

VDB-367794

CPE

prêt

EPSS

0.00025

KEV

non

Activités

très faible

Sources

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-3198
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-3198
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-3198/

PrécédentAperçuSuivant

Do you need the next level of professionalism?

Upgrade your account now!