Cyber Resilience

CVE-2026-4035

HighPublic PoCUpdated

Published: 03 June 2026

Published
03 June 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0043 34.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4035 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Privacy and Disclosure risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field…

more

in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, mlflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vuln enables direct credential exfiltration via env var resolution in secrets (T1552) and is explicitly exploitable for credential access (T1212).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-8859Same product: Lfprojects Mlflow
CVE-2025-11200Same product: Lfprojects Mlflow
CVE-2025-0453Same product: Lfprojects Mlflow
CVE-2026-2652Same product: Lfprojects Mlflow
CVE-2026-0545Same product: Lfprojects Mlflow
CVE-2025-15031Same product: Lfprojects Mlflow
CVE-2026-0596Same product: Lfprojects Mlflow
CVE-2025-11201Same product: Lfprojects Mlflow
CVE-2025-14287Same product: Lfprojects Mlflow
CVE-2025-1473Same product: Lfprojects Mlflow

Affected Assets

lfprojects
mlflow
≤ 3.11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-201

Embedding taints allows detection when sensitive data is inserted into outbound or sent data streams.

References