cbcvebase.
CVE-2026-2652
published 2026-05-15

CVE-2026-2652: A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with…

PriorityP274high8.6CVSS 3.0
AVNACLPRNUINSUCLIHAL
EXPLOIT
EPSS
1.50%
71.1th percentile
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
lfprojectsmlflow< 3.10.03.10.0
lfprojectsmlflow>= 0 < 3.11.03.11.0
mlflowmlflow_mlflow>= unspecified < 3.10.03.10.0

Detection & IOCsextracted from sources · hover to see the quote

path/ajax-api/3.0/jobs/*
path/v1/traces
path/ajax-api/3.0/jobs/search
path/api/2.0/mlflow/experiments/list
sigma
detection: condition: POST /ajax-api/3.0/jobs/search returns HTTP 200 without Authorization header
  • Probe for authentication bypass by first confirming auth is enabled (401 on /api/2.0/mlflow/experiments/list), then issuing an unauthenticated POST to /ajax-api/3.0/jobs/search with an empty JSON body; a 200 response containing '"jobs":' in an application/json body confirms the bypass.
  • The vulnerability is only exploitable when MLflow is started with `--app-name basic-auth` and served via uvicorn (ASGI); deployments using WSGI/Flask are not affected by this specific bypass.
  • The root cause is in `_find_fastapi_validator()` which only handles `/gateway/` paths; monitor or alert on unauthenticated requests to non-`/gateway/` FastAPI routes such as `/ajax-api/3.0/jobs/*` and `/v1/traces`.
  • Use Shodan query `http.title:"mlflow"` or FOFA query `app="mlflow"` to identify exposed MLflow instances for asset discovery and prioritisation.
  • ·The authentication bypass only affects MLflow instances running with both `--app-name basic-auth` AND uvicorn (ASGI). Instances served via WSGI/Flask are not vulnerable to this specific bypass path.
  • ·The FastAPI permission middleware enforces authentication ONLY on `/gateway/` routes; all other FastAPI-handled routes are unprotected regardless of auth configuration.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.