Cyber Resilience

CVE-2026-2652

HighPublic PoC

Published: 15 May 2026

Published
15 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0150 71.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2652 is a high-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Lfprojects Mlflow. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

A vulnerability in MLflow versions 3.9.0 and earlier permits unauthenticated access to selected FastAPI routes when the server is launched with authentication enabled via the --app-name basic-auth flag and served through uvicorn. The FastAPI permission middleware restricts checks to /gateway/ paths only, leaving endpoints such as the Job API at /ajax-api/3.0/jobs/* and the OpenTelemetry trace ingestion route at /v1/traces exposed. The root cause is an architectural mismatch between the original Flask authentication logic and the FastAPI implementation, specifically the failure of _find_fastapi_validator() to cover non-/gateway/ routes.

Unauthenticated remote attackers can therefore submit jobs, retrieve job results, cancel active jobs, and inject arbitrary trace data into experiments without providing credentials. Exploitation requires only network access to a uvicorn-hosted MLflow instance configured for basic authentication and does not depend on any user interaction or special privileges.

The issue is resolved in MLflow 3.10.0. The referenced commit bb62e773263c14e9ba4d1a82fe72d0de2442c6aa restores proper authentication coverage across all FastAPI routes, and the finding was reported through the huntr.com disclosure platform.

EPSS remains low and unchanged at a peak of 0.0132 with no material increase after disclosure. The affected component is the core experiment-tracking server used in many machine-learning workflows.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes,…

more

leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mlflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass on public-facing MLflow server directly enables remote exploitation of exposed APIs without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11200Same product: Lfprojects Mlflow
CVE-2025-11201Same product: Lfprojects Mlflow
CVE-2026-0545Same product: Lfprojects Mlflow
CVE-2025-15031Same product: Lfprojects Mlflow
CVE-2025-1473Same product: Lfprojects Mlflow
CVE-2025-0453Same product: Lfprojects Mlflow
CVE-2024-8859Same product: Lfprojects Mlflow
CVE-2026-4035Same product: Lfprojects Mlflow
CVE-2026-0596Same product: Lfprojects Mlflow
CVE-2025-14287Same product: Lfprojects Mlflow

Affected Assets

lfprojects
mlflow
≤ 3.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization on every API route, preventing the FastAPI middleware bypass that left /ajax-api/ and /v1/traces unprotected.

prevent

Requires least-privilege assignment so that job submission, cancellation, and trace ingestion endpoints cannot be reached without explicit authorization.

prevent

Mandates identification and authentication of all users before any non-public MLflow operation, closing the unauthenticated remote access path described in the CVE.

References