MLflow: Critical Credential Leakage Flaw Disclosed Alongside Two Other Vulnerabilities
Key findings • Critical CVE-2026-4035 allows exfiltration of sensitive environment credentials via MLflow AI Gateway secrets. • Medium CVE-2026-3198 bypasses authorization checks on multiple …
Key findings
- Critical CVE-2026-4035 allows exfiltration of sensitive environment credentials via MLflow AI Gateway secrets.
- Medium CVE-2026-3198 bypasses authorization checks on multiple MLflow AI Gateway 'list' API endpoints.
- Low CVE-2026-10803 involves the use of weak hash algorithms in dataset digest computation.
- Vulnerabilities disclosed between June 2nd and June 4th, 2026, affecting MLflow versions up to 3.10.0 and 3.9.0.
- Critical flaw requires immediate update to MLflow 3.11.0 or later to mitigate credential leakage.
MLflow, an open-source platform for managing the machine learning lifecycle, is facing scrutiny following the disclosure of three vulnerabilities that were revealed over a two-day period. The most severe of these, CVE-2026-4035, carries a critical CVSSv3 score of 9.1 and poses a significant risk of sensitive credential exfiltration.
This critical flaw affects MLflow versions prior to 3.11.0. It stems from an issue within the AI Gateway secrets management where environment variables can be resolved. Attackers can exploit this by manipulating the api_key field in gateway secrets, causing sensitive server-side environment credentials to be sent to an attacker-controlled endpoint. This could lead to unauthorized access and compromise of underlying infrastructure.
Alongside the critical vulnerability, a medium-severity flaw, CVE-2026-3198, was also disclosed. This vulnerability impacts MLflow 3.9.0 when using basic-auth. It fails to enforce authorization checks for several AI Gateway API 'list' endpoints, including ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewaySecretInfos. This oversight could allow unauthenticated users to enumerate sensitive information about gateway secrets and endpoints.
The third vulnerability, CVE-2026-10803, is rated as low severity with a CVSSv3 score of 3.6. This issue resides in the mlflow.data.digest_utils function within mlflow/data/digest_utils.py. The vulnerability involves the use of a weak hash algorithm for computing dataset digests, which could potentially be manipulated by an attacker on the local host. While less severe, it could still impact data integrity checks.
The vulnerabilities were disclosed between June 2nd and June 4th, 2026, with the critical CVE-2026-4035 being reported on June 3rd. The affected versions and specific components highlight areas that require immediate attention from MLflow users. The critical nature of CVE-2026-4035, in particular, necessitates prompt patching to prevent potential widespread compromise of sensitive credentials.
MLflow users are strongly advised to update their installations to the latest available versions. For CVE-2026-4035, this means upgrading to MLflow 3.11.0 or later. For CVE-2026-3198, users should ensure they are not running MLflow 3.9.0 with basic-auth or update to a patched version. While CVE-2026-10803 is low severity, updating to a version that addresses weak hashing practices is also recommended to maintain robust data integrity.