PT-2026-23821 · Undefined · Undefined
Published
2026-03-07
·
Updated
2026-03-07
·
CVE-2025-14297
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
We (at Tachyon) found an auth bypass in MLflow
https://tachyon.so/blog/cve-2025-14297-mlflow-authorization-bypass:
- Black-box scanners would need to discover the right users, roles, and state transitions, then generate specific request sequences that trigger a gap: a combinatorial problem that scales poorly.
- Based on the widespread use of the @auth required decorator and the BEFORE REQUEST VALIDATORS registry, Tachyon inferred that per-object authorization was an intended invariant: every endpoint accessing experiments, runs, or artifacts should be covered by the validator mechanism.
- This reduces the chance that adding a new interface (a helper route, a new UI endpoint, a GraphQL resolver) creates a bypass simply because it was not wired into the original enforcement mechanism.
@secharvester
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Undefined