CVE-2026-2652 Scanner

MLflow is an open-source platform for managing machine learning workflows, where it is widely used by data scientists and engineers to track and grade machine learning models. It provides key functionalities like experiment tracking, project organization, and metric logging. With the ability to serve models in production environments, MLflow is instrumental in enabling efficient collaboration in teams. MLflow integrates with various machine learning libraries and frameworks via its server services, aiding organizations in automating deployment processes. The platform ensures scientists can manage the machine learning lifecycle from development to production effectively. Various enterprise-scale applications leverage MLflow for monitoring the performance and validity of machine learning models.

The vulnerability in MLflow identified allows attackers to bypass authentication mechanisms in versions prior to 3.10.0. Specifically, it affects FastAPI routes when the server is started with authentication enabled using specific configurations. The oversight in securing routes, except for `/gateway/`, results in unauthorized access potential. Attackers can exploit this to submit jobs, monitor job results, and inject non-legitimate data into systems. The vulnerability arises from incompatibilities in how Flask and FastAPI handle authentication. This exposure allows unauthorized users to perform actions that could lead to significant security and data integrity concerns.

Technically, specific FastAPI routes like the Job API and OpenTelemetry API are left unprotected, thus open to attacks. Requests sent to these unprotected endpoints can be authenticated incorrectly or remain unauthenticated, offering a loophole for exploitation. This is facilitated by the incomplete authentication validation by the FastAPI permission middleware, specifically with the `_find_fastapi_validator()` not recognizing non-`/gateway/` paths. Attackers can use crafted payloads to inject malicious traces and manipulate job data through these API endpoints. The endpoints involved enable executing jobs and retrieving sensitive job-related data without requiring proper authentication.

Upon successful exploitation, malicious actors can compromise data integrity significantly and execute unauthorized tasks. With access to the job management APIs, they can influence system operations by manipulating task execution and data logging. This may result in unauthorized resource usage, significant disruption in service, and potentially leaking sensitive data through injected arbitrary data. The architectural flaw allows malicious injections that can affect the experiment's outcomes, task scheduling, and data storage, leading to a broader security and operational impact.

REFERENCES

• https://huntr.com/bounties/5aeff5f0-49c7-4180-b5cb-c9a046f16756
• https://nvd.nist.gov/vuln/detail/CVE-2026-2652