PT-2026-54935 · Mlflow · Mlflow

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-8147

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.14.0
Description When authentication is enabled, the trace API endpoints lack proper authorization validators. This occurs because the before request handler fails to register authorization validators for these endpoints, allowing any authenticated user to bypass experiment-level access controls. Consequently, an attacker with a valid account can read, delete, or modify traces on experiments they are not permitted to access. This can lead to the exposure of sensitive data, tampering with experiment telemetry, and the destruction of audit logs.
Recommendations Update to version 3.14.0.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8147

Affected Products

Mlflow