CVE-2026-4035
published 2026-06-03CVE-2026-4035: A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to…
PriorityP351high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.43%
34.8th percentile
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | < 3.11.0 | 3.11.0 |
| mlflow | mlflow_mlflow | >= unspecified < 3.11.0 | 3.11.0 |
| rhoai | odh-mlflow-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-th06-cpu-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-cuda130-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-rocm64-torch291-py312-rhel9 | — | — |
| rhoai | odh-training-cuda128-torch29-py312-rhel9 | — | — |
| rhoai | odh-workbench-codeserver-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-trustyai-cpu-py312-rhel9 | — | — |
CVSS provenance
nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
mlflow up to 3.10.x ENV_VAR insertion of sensitive information into sent data (EUVD-2026-34068)
vuldb·2026-06-08·CVSS 7.7
CVE-2026-4035 [HIGH] mlflow up to 3.10.x ENV_VAR insertion of sensitive information into sent data (EUVD-2026-34068)
A vulnerability was found in mlflow up to 3.10.x. It has been declared as problematic. Affected by this issue is some unknown functionality. The manipulation of the argument ENV_VAR results in insertion of sensitive information into sent data.
This vulnerability is cataloged as CVE-2026-4035. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
GHSA
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environme
ghsa_unreviewed·2026-06-03
CVE-2026-4035 [CRITICAL] CWE-201 A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environme
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credent
Red Hat
python-mlflow: MLflow: Sensitive credential exfiltration via environment variable resolution in AI Gateway secrets
vendor_redhat·2026-06-03·CVSS 7.7
CVE-2026-4035 [HIGH] CWE-201 python-mlflow: MLflow: Sensitive credential exfiltration via environment variable resolution in AI Gateway secrets
python-mlflow: MLflow: Sensitive credential exfiltration via environment variable resolution in AI Gateway secrets
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-4035 python-mlflow: MLflow: Sensitive credential exfiltration via environment variable resolution in AI Gateway secrets
bugzilla·2026-06-03·CVSS 7.7
CVE-2026-4035 [HIGH] CVE-2026-4035 python-mlflow: MLflow: Sensitive credential exfiltration via environment variable resolution in AI Gateway secrets
CVE-2026-4035 python-mlflow: MLflow: Sensitive credential exfiltration via environment variable resolution in AI Gateway secrets
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in defau
Bugzilla
CVE-2026-31601 kernel: vfio/xe: Reorganize the init to decouple migration from reset
bugzilla·2026-04-24
CVE-2026-31601 CVE-2026-31601 kernel: vfio/xe: Reorganize the init to decouple migration from reset
CVE-2026-31601 kernel: vfio/xe: Reorganize the init to decouple migration from reset
In the Linux kernel, the following vulnerability has been resolved:
vfio/xe: Reorganize the init to decouple migration from reset
Attempting to issue reset on VF devices that don't support migration
leads to the following:
BUG: unable to handle page fault for address: 00000000000011f8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 2 UID: 0 PID: 7443 Comm: xe_sriov_flr Tainted: G S U 7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy)
Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/20
https://github.com/mlflow/mlflow/commit/4a3f2f720cb4f058c9e0c5b883e0acc9ab64a7f3https://huntr.com/bounties/f8e591a0-0f19-4910-b82e-16c9956f2233https://access.redhat.com/security/cve/CVE-2026-4035https://bugzilla.redhat.com/show_bug.cgi?id=2484318https://huntr.com/bounties/f8e591a0-0f19-4910-b82e-16c9956f2233https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4035.json
2026-06-03
Published