PT-2026-54935 · Mlflow · Mlflow
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-8147
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
MLflow versions prior to 3.14.0
Description
When authentication is enabled, the trace API endpoints lack proper authorization validators. This occurs because the
before request handler fails to register authorization validators for these endpoints, allowing any authenticated user to bypass experiment-level access controls. Consequently, an attacker with a valid account can read, delete, or modify traces on experiments they are not permitted to access. This can lead to the exposure of sensitive data, tampering with experiment telemetry, and the destruction of audit logs.Recommendations
Update to version 3.14.0.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mlflow