CVE-2026-2652
Published: 15 May 2026
Summary
CVE-2026-2652 is a high-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Lfprojects Mlflow. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
A vulnerability in MLflow versions 3.9.0 and earlier permits unauthenticated access to selected FastAPI routes when the server is launched with authentication enabled via the --app-name basic-auth flag and served through uvicorn. The FastAPI permission middleware restricts checks to /gateway/ paths only, leaving endpoints such as the Job API at /ajax-api/3.0/jobs/* and the OpenTelemetry trace ingestion route at /v1/traces exposed. The root cause is an architectural mismatch between the original Flask authentication logic and the FastAPI implementation, specifically the failure of _find_fastapi_validator() to cover non-/gateway/ routes.
Unauthenticated remote attackers can therefore submit jobs, retrieve job results, cancel active jobs, and inject arbitrary trace data into experiments without providing credentials. Exploitation requires only network access to a uvicorn-hosted MLflow instance configured for basic authentication and does not depend on any user interaction or special privileges.
The issue is resolved in MLflow 3.10.0. The referenced commit bb62e773263c14e9ba4d1a82fe72d0de2442c6aa restores proper authentication coverage across all FastAPI routes, and the finding was reported through the huntr.com disclosure platform.
EPSS remains low and unchanged at a peak of 0.0132 with no material increase after disclosure. The affected component is the core experiment-tracking server used in many machine-learning workflows.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30499
Vulnerability details
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes,…
more
leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mlflow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass on public-facing MLflow server directly enables remote exploitation of exposed APIs without credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization on every API route, preventing the FastAPI middleware bypass that left /ajax-api/ and /v1/traces unprotected.
Requires least-privilege assignment so that job submission, cancellation, and trace ingestion endpoints cannot be reached without explicit authorization.
Mandates identification and authentication of all users before any non-public MLflow operation, closing the unauthenticated remote access path described in the CVE.