MLflow, Missing Authorization (Bypass), CVE-2026-2734 (Medium) -DC-Jun2026-92

Listen to this Post

How CVE-2026-2734 Works

This is an authorization bypass in MLflow’s model registry. The vulnerable components are the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query. When basic authentication is enabled, the system fails to enforce per-model access controls, allowing any authenticated user to enumerate all model versions across all registered models.
The root cause lies in the omission of this functionality from two key security layers. For the REST API, the `SearchModelVersions` endpoint is absent from BEFORE_REQUEST_VALIDATORS, which typically enforces permission checks before processing a request, and also from AFTER_REQUEST_HANDLERS, which filters search results based on permissions before returning them to the user.
For the GraphQL interface, the `mlflowSearchModelVersions` query is not included in GraphQLAuthorizationMiddleware.PROTECTED_FIELDS. This middleware normally acts as a gatekeeper for GraphQL operations, ensuring that only authorized users can access or mutate specific fields.
Because the request bypasses these checks, the backend executes the search query against the database without applying any user-specific model ownership or access rights. The API then returns a full dataset containing model names, version descriptions, source URIs (potentially revealing internal paths), tags (which may contain internal API endpoints or configuration), and other metadata. As the CVSS vector string `CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` indicates, the attack is network-exploitable, has low complexity, requires low-privileged authentication, and results in high confidentiality impact with no impact on integrity or availability.

DailyCVE Form

Platform: mlflow/mlflow
Version: ≤3.9.0
Vulnerability: Missing authorization
Severity: Medium (6.5)
date: 2026-05-21

Prediction: Already patched (3.10.0)

What Undercode Say

Analytics from Huntr and VulDB highlight the following technical insights.
Patch Commit: The fix is implemented in commit 6989066af33fdcb03588fd71a1a67f8fc5ef12c9.

REST Fix: Add `SearchModelVersions` to `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS`.

GraphQL Fix: Add `search_model_versions` to `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS`.

Authentication: Bypass occurs only when basic authentication is enabled.

Attack Vector: Network-based, remote.

Bash Commands to Detect Vulnerable Version:

Check MLflow version
mlflow --version
For Python package
pip show mlflow | grep Version

cURL to Exploit REST Endpoint:

curl -X GET "http://target-mlflow:5000/api/2.0/mlflow/model-versions/search" \
-u "low_privileged_user:password" \
-H "Content-Type: application/json"

GraphQL Payload to Enumerate:

query {
mlflowSearchModelVersions {
name
version
description
source
tags
}
}

Exploit

An attacker with any valid user credentials (e.g., a low-privileged user in a multi-tenant environment) can exploit this without any special tools. Step-by-step:
1. Authenticate: Obtain a valid session using basic authentication.
2. Send Request: Issue a GET request to `/api/2.0/mlflow/model-versions/search` (REST) or a GraphQL query to mlflowSearchModelVersions.
3. Enumerate: The response will contain all model versions from all tenants, including those the user should not have access to.
4. Exfiltrate: Extract metadata such as source URIs (which may contain internal storage paths and run IDs) and tags (which may contain API keys or internal endpoints).

Protection

Primary Mitigation: Upgrade to MLflow version 3.10.0 or later.
Temporary Workaround: If upgrading is not immediately possible, disable the `SearchModelVersions` REST API route and the `mlflowSearchModelVersions` GraphQL query, or restrict network access to the MLflow server until patching is completed.
Monitoring: Implement monitoring for suspicious enumeration patterns such as repeated `SearchModelVersions` API calls from a single user.

Impact

The confidentiality impact is high. An attacker can gain unauthorized visibility into all models stored in the registry, leading to:
Intellectual Property Theft: Exposure of proprietary model implementations, training methodologies, and deployment configurations.
Competitive Intelligence: Mapping the complete model landscape of an organization in a multi-tenant environment.
Lateral Movement: Source URIs and tags may provide internal IP addresses, storage paths, or run IDs that can be used to pivot to other systems.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top