CVE-2026-2652
published 2026-05-15CVE-2026-2652: A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with…
PriorityP274high8.6CVSS 3.0
AVNACLPRNUINSUCLIHAL
EXPLOIT
EPSS
1.50%
71.1th percentile
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | < 3.10.0 | 3.10.0 |
| lfprojects | mlflow | >= 0 < 3.11.0 | 3.11.0 |
| mlflow | mlflow_mlflow | >= unspecified < 3.10.0 | 3.10.0 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
detection: condition: POST /ajax-api/3.0/jobs/search returns HTTP 200 without Authorization header
- →Probe for authentication bypass by first confirming auth is enabled (401 on /api/2.0/mlflow/experiments/list), then issuing an unauthenticated POST to /ajax-api/3.0/jobs/search with an empty JSON body; a 200 response containing '"jobs":' in an application/json body confirms the bypass. ↗
- →The vulnerability is only exploitable when MLflow is started with `--app-name basic-auth` and served via uvicorn (ASGI); deployments using WSGI/Flask are not affected by this specific bypass. ↗
- →The root cause is in `_find_fastapi_validator()` which only handles `/gateway/` paths; monitor or alert on unauthenticated requests to non-`/gateway/` FastAPI routes such as `/ajax-api/3.0/jobs/*` and `/v1/traces`. ↗
- →Use Shodan query `http.title:"mlflow"` or FOFA query `app="mlflow"` to identify exposed MLflow instances for asset discovery and prioritisation. ↗
- ·The authentication bypass only affects MLflow instances running with both `--app-name basic-auth` AND uvicorn (ASGI). Instances served via WSGI/Flask are not vulnerable to this specific bypass path. ↗
- ·The FastAPI permission middleware enforces authentication ONLY on `/gateway/` routes; all other FastAPI-handled routes are unprotected regardless of auth configuration. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MLflow: unauthenticated access to certain FastAPI routes
ghsa·2026-05-15
CVE-2026-2652 [HIGH] CWE-305 MLflow: unauthenticated access to certain FastAPI routes
MLflow: unauthenticated access to certain FastAPI routes
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` fun
GHSA
GHSA-75cm-x2w3-8mgf: A vulnerability in mlflow/mlflow versions 3
ghsa_unreviewed·2026-05-15
CVE-2026-2652 [HIGH] CWE-305 GHSA-75cm-x2w3-8mgf: A vulnerability in mlflow/mlflow versions 3
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in
VulDB
mlflow up to 3.9.x Job API _find_fastapi_validator authentication bypass
vuldb·2026-05-15·CVSS 8.6
CVE-2026-2652 [HIGH] mlflow up to 3.9.x Job API _find_fastapi_validator authentication bypass
A vulnerability was found in mlflow up to 3.9.x and classified as critical. Affected by this vulnerability is the function _find_fastapi_validator of the component Job API. Executing a manipulation can lead to authentication bypass by primary weakness.
The identification of this vulnerability is CVE-2026-2652. The attack may be launched remotely. There is no exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
Nuclei
MLflow < 3.10.0 - Authentication Bypass on FastAPI Routes
nuclei·CVSS 8.6
CVE-2026-2652 [HIGH] MLflow < 3.10.0 - Authentication Bypass on FastAPI Routes
MLflow < 3.10.0 - Authentication Bypass on FastAPI Routes
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` fu
No writeups or analysis indexed.
2026-05-15
Published