CVE-2026-2652 — AWAITING NVD

CISO Take

MLflow 3.9.0 and earlier contain a complete authentication bypass when deployed with `--app-name basic-auth` via uvicorn: FastAPI's permission middleware only guards `/gateway/` routes, leaving the Job API (`/ajax-api/3.0/jobs/*`) and OpenTelemetry trace ingestion (`/v1/traces`) entirely open to unauthenticated requests. Any attacker with network access to an exposed MLflow server can submit arbitrary jobs, read experiment results and model metrics, cancel in-flight training runs, and inject poisoned trace data — all without credentials. The insidious aspect is that operators who explicitly enabled authentication believe they are protected; this is a silent security regression caused by the Flask-to-FastAPI migration mismatch. Upgrade to MLflow 3.10.0 immediately; if patching is blocked, isolate the MLflow server behind an authenticated reverse proxy or firewall and audit `/ajax-api/3.0/jobs/` and `/v1/traces` access logs for unauthorized activity.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

HIGH for organizations with MLflow reachable on internal networks or internet-facing. The bypass requires no credentials, no user interaction, and no special tooling — a standard HTTP client is sufficient. Severity is unscored (CVSS N/A) because the CVE was published the same day, but the vulnerability class (CWE-305: Missing Authentication for Critical Function) maps to CVSS 9.1 CRITICAL under comparable auth-bypass CVEs. Blast radius scales with how central MLflow is to the ML pipeline: in a shared MLOps platform serving multiple teams, a single exploit can disrupt all concurrent training workloads and exfiltrate proprietary model experiment data.

Attack Kill Chain

Reconnaissance

Attacker scans internal network, identifies MLflow server on port 5000, and probes API routes to discover which endpoints respond without authentication headers.

AML.T0006

Authentication Bypass

Attacker sends unauthenticated HTTP requests to `/ajax-api/3.0/jobs/list` and confirms 200 OK response, confirming the FastAPI middleware gap leaves Job API and trace endpoints unprotected despite `--app-name basic-auth` being configured.

AML.T0049

Data Collection & Job Manipulation

Attacker enumerates experiment runs, extracts model metrics and artifact URIs via the Jobs API, cancels legitimate training runs, and submits rogue jobs pointing to attacker-controlled code.

AML.T0035

Experiment Integrity Compromise

Attacker POSTs fabricated telemetry to `/v1/traces`, injecting poisoned observability data into active experiments to corrupt model evaluation records and mislead the ML engineering team.

AML.T0031

Reconnaissance

Attacker scans internal network, identifies MLflow server on port 5000, and probes API routes to discover which endpoints respond without authentication headers.

AML.T0006

Authentication Bypass

Attacker sends unauthenticated HTTP requests to `/ajax-api/3.0/jobs/list` and confirms 200 OK response, confirming the FastAPI middleware gap leaves Job API and trace endpoints unprotected despite `--app-name basic-auth` being configured.

AML.T0049

Data Collection & Job Manipulation

Attacker enumerates experiment runs, extracts model metrics and artifact URIs via the Jobs API, cancels legitimate training runs, and submits rogue jobs pointing to attacker-controlled code.

AML.T0035

Experiment Integrity Compromise

Attacker POSTs fabricated telemetry to `/v1/traces`, injecting poisoned observability data into active experiments to corrupt model evaluation records and mislead the ML engineering team.

AML.T0031

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.8K OpenSSF 4.7 624 dependents Pushed 5d ago 23% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

PATCH

Upgrade to MLflow 3.10.0 where the FastAPI authentication middleware correctly handles non-/gateway/ routes.
WORKAROUND (if upgrade blocked): Place MLflow behind an authenticated reverse proxy (nginx with auth_basic, Caddy with basicauth directive, or an API gateway) that enforces authentication before requests reach the MLflow server.
NETWORK ISOLATION

Restrict access to the MLflow server port via firewall rules to trusted CI/CD runners and data science workstations only — MLflow should never be internet-facing.
DETECTION

Audit server access logs for unauthenticated requests to /ajax-api/3.0/jobs/ and /v1/traces; unexpected HTTP 200 responses without Authorization headers indicate active exploitation.
INTEGRITY CHECK

If exposure is suspected, review experiment run history for unexpected job submissions and validate trace data integrity for active experiments.

Classification

Auth Bypass Data Extraction Code Execution Framework Training Data AML.T0006 - Active Scanning AML.T0031 - Erode AI Model Integrity AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - AI risk treatment

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-2652?

MLflow 3.9.0 and earlier contain a complete authentication bypass when deployed with `--app-name basic-auth` via uvicorn: FastAPI's permission middleware only guards `/gateway/` routes, leaving the Job API (`/ajax-api/3.0/jobs/*`) and OpenTelemetry trace ingestion (`/v1/traces`) entirely open to unauthenticated requests. Any attacker with network access to an exposed MLflow server can submit arbitrary jobs, read experiment results and model metrics, cancel in-flight training runs, and inject poisoned trace data — all without credentials. The insidious aspect is that operators who explicitly enabled authentication believe they are protected; this is a silent security regression caused by the Flask-to-FastAPI migration mismatch. Upgrade to MLflow 3.10.0 immediately; if patching is blocked, isolate the MLflow server behind an authenticated reverse proxy or firewall and audit `/ajax-api/3.0/jobs/` and `/v1/traces` access logs for unauthorized activity.

Is CVE-2026-2652 actively exploited?

No confirmed active exploitation of CVE-2026-2652 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2652?

1. PATCH: Upgrade to MLflow 3.10.0 where the FastAPI authentication middleware correctly handles non-`/gateway/` routes. 2. WORKAROUND (if upgrade blocked): Place MLflow behind an authenticated reverse proxy (nginx with auth_basic, Caddy with basicauth directive, or an API gateway) that enforces authentication before requests reach the MLflow server. 3. NETWORK ISOLATION: Restrict access to the MLflow server port via firewall rules to trusted CI/CD runners and data science workstations only — MLflow should never be internet-facing. 4. DETECTION: Audit server access logs for unauthenticated requests to `/ajax-api/3.0/jobs/` and `/v1/traces`; unexpected HTTP 200 responses without Authorization headers indicate active exploitation. 5. INTEGRITY CHECK: If exposure is suspected, review experiment run history for unexpected job submissions and validate trace data integrity for active experiments.

What systems are affected by CVE-2026-2652?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model training pipelines, experiment tracking systems, model development workflows, CI/CD-integrated ML pipelines.

What is the CVSS score for CVE-2026-2652?

No CVSS score has been assigned yet.

Technical Details

NVD Description

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.

Exploitation Scenario

An attacker conducting internal network reconnaissance identifies a MLflow server on port 5000 running mlflow 3.9.0 with `--app-name basic-auth` configured. Knowing that auth is enabled, they probe non-gateway routes and discover that `GET /ajax-api/3.0/jobs/list` returns a 200 with full job metadata — no credentials required. The attacker then enumerates all active training runs via the Jobs API, extracts model performance metrics and dataset artifact URIs, and submits a malicious job via `POST /ajax-api/3.0/jobs/create` pointing to an attacker-controlled script. Simultaneously, they POST to `/v1/traces` to inject falsified observability data into ongoing experiments, manipulating the accuracy metrics visible to the ML engineering team. The entire compromise happens over HTTP with no exploitation tooling beyond curl.