mlflow — CVE-2026-2652 Authentication Bypass Exposes ML Experiment Jobs

2026-05-16 AI CVEs by al-ice.ai Editorial

AI relevance: MLflow is the dominant open-source platform for ML experiment tracking and model lifecycle management — a high-severity auth bypass on experiment job endpoints lets unauthenticated attackers submit, read, and cancel ML training jobs or inject arbitrary trace data into experiments.

What happened

CVE-2026-2652 (CVSS 8.6) is a high-severity authentication bypass affecting mlflow/mlflow versions 3.9.0 and earlier, published on May 15, 2026. The vulnerability allows unauthenticated remote attackers to access specific FastAPI routes even when the MLflow server is configured with authentication enabled.

The bug

When MLflow is started with --app-name basic-auth and served via uvicorn (ASGI), its FastAPI permission middleware only enforces authentication on /gateway/ routes.
Other critical FastAPI routes remain completely unprotected, including the Job API (/ajax-api/3.0/jobs/*) and the OpenTelemetry trace ingestion API (/v1/traces).
The root cause is the _find_fastapi_validator() function, which fails to properly handle non-/gateway/ paths, resulting in a complete authentication bypass for these endpoints.

Impact

Attackers can submit new ML training jobs, retrieve results from existing jobs, or cancel running jobs — without any authentication.
The OpenTelemetry trace ingestion endpoint is accessible, allowing injection of arbitrary trace data into experiments, potentially corrupting experiment records or poisoning model evaluation data.
Exploitation requires no special setup beyond identifying a running MLflow instance with the vulnerable configuration.
No public proof-of-concept exploit is available at the time of disclosure.

Why it matters

MLflow is widely deployed in enterprise ML pipelines, AI research labs, and model training infrastructure — often exposed on internal networks with minimal access controls.
Unauthenticated job submission could allow attackers to consume compute resources, exfiltrate model artifacts, or inject poisoned training data.
OpenTelemetry trace injection could corrupt experiment records used for model evaluation, compliance reporting, or regulatory audit trails.
This is a textbook example of framework-level auth misconfiguration: Flask and FastAPI middleware operating independently, with security controls applying only to one layer.

What to do

Upgrade to MLflow 3.10.0 or later, which addresses this vulnerability.
If upgrading is not immediately possible, place MLflow behind a reverse proxy with authentication enforced at the network layer.
Audit MLflow experiment logs for unauthorized job submissions or anomalous trace data injection.
Review whether MLflow instances are exposed beyond trusted network segments.

Sources

TheHackerWire — mlflow Unauthenticated API Access Bypass (CVE-2026-2652)