CVE-2025-15381 — UNKNOWN AI Security Vulnerability

CISO Take

Any authenticated MLflow user — including accounts explicitly granted NO_PERMISSIONS — can read trace data and inject assessments on experiments they own nothing. If your ML platform runs `mlflow server --app-name=basic-auth`, assume all trace contents (prompts, inputs, outputs, metadata) are readable by every internal user until patched. Update MLflow immediately and audit who has any valid credential on your instance.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. Patch: Update to the fixed MLflow version as soon as available (monitor https://github.com/mlflow/mlflow/releases and the huntr disclosure). 2. Immediate workaround: Place MLflow behind a network perimeter (VPN/firewall) so only authorized users can authenticate at all — reducing the blast radius of the missing endpoint-level authz. 3. Audit access: Review who holds any valid MLflow credential; revoke dormant accounts. 4. Rotate secrets: If trace logs may contain API keys or credentials passed as model inputs, rotate them. 5. Detection: Review MLflow access logs for cross-experiment trace reads by users who own no runs in those experiments. 6. Consider disabling assessments feature if not in active use until patched.

Classification

Auth Bypass Data Extraction Data Leakage Framework Training Data AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0059 - Erode Dataset Integrity

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 10 - Data and data governance Article 17 - Quality management system

ISO 42001

6.5 - Information security in AI systems 8.4 - AI system lifecycle — Data management

NIST AI RMF

GOVERN 1.2 - Accountability structures are in place MANAGE 2.2 - Mechanisms are in place for authorized users to report

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Technical Details

NVD Description

In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Deployments using `mlflow server --app-name=basic-auth` are affected.

Exploitation Scenario

A contractor or low-privilege service account is granted a MLflow credential with NO_PERMISSIONS to run a limited task. Using standard MLflow REST API calls to the unprotected `/api/2.0/mlflow/traces` and assessment endpoints, they enumerate and download traces from all experiments — including the production LLM fine-tuning experiments they were never authorized to see. The traces contain the full prompt templates, system instructions, and labeled training examples your team spent months curating. In parallel, the attacker creates fraudulent assessments marking a backdoored model variant as high-quality, potentially influencing automated model promotion pipelines that trust MLflow evaluation scores.

Weaknesses (CWE)

CWE-200 Primary

References

Timeline

Published

March 27, 2026

Last Modified

March 27, 2026

First Seen

March 27, 2026