CVE-2026-2652: MLflow: auth bypass exposes Job API and trace injection

GHSA-75cm-x2w3-8mgf HIGH NUCLEI TEMPLATE CISA: TRACK*
Published May 15, 2026
CISO Take

MLflow 3.9.0 and earlier contain a complete authentication bypass when deployed with `--app-name basic-auth` via uvicorn: FastAPI's permission middleware only guards `/gateway/` routes, leaving the Job API (`/ajax-api/3.0/jobs/*`) and OpenTelemetry trace ingestion (`/v1/traces`) entirely open to unauthenticated requests. Any attacker with network access to an exposed MLflow server can submit arbitrary jobs, read experiment results and model metrics, cancel in-flight training runs, and inject poisoned trace data — all without credentials. The insidious aspect is that operators who explicitly enabled authentication believe they are protected; this is a silent security regression caused by the Flask-to-FastAPI migration mismatch. Upgrade to MLflow 3.10.0 immediately; if patching is blocked, isolate the MLflow server behind an authenticated reverse proxy or firewall and audit `/ajax-api/3.0/jobs/` and `/v1/traces` access logs for unauthorized activity.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

HIGH for organizations with MLflow reachable on internal networks or internet-facing. The bypass requires no credentials, no user interaction, and no special tooling — a standard HTTP client is sufficient. Severity is unscored (CVSS N/A) because the CVE was published the same day, but the vulnerability class (CWE-305: Missing Authentication for Critical Function) maps to CVSS 9.1 CRITICAL under comparable auth-bypass CVEs. Blast radius scales with how central MLflow is to the ML pipeline: in a shared MLOps platform serving multiple teams, a single exploit can disrupt all concurrent training workloads and exfiltrate proprietary model experiment data.

How does the attack unfold?

Reconnaissance
Attacker scans internal network, identifies MLflow server on port 5000, and probes API routes to discover which endpoints respond without authentication headers.
AML.T0006
Authentication Bypass
Attacker sends unauthenticated HTTP requests to `/ajax-api/3.0/jobs/list` and confirms 200 OK response, confirming the FastAPI middleware gap leaves Job API and trace endpoints unprotected despite `--app-name basic-auth` being configured.
AML.T0049
Data Collection & Job Manipulation
Attacker enumerates experiment runs, extracts model metrics and artifact URIs via the Jobs API, cancels legitimate training runs, and submits rogue jobs pointing to attacker-controlled code.
AML.T0035
Experiment Integrity Compromise
Attacker POSTs fabricated telemetry to `/v1/traces`, injecting poisoned observability data into active experiments to corrupt model evaluation records and mislead the ML engineering team.
AML.T0031

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip < 3.11.0 3.11.0
26.7K OpenSSF 5.4 655 dependents Pushed 6d ago 31% patched ~76d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
8.6 / 10
EPSS
1.5%
chance of exploitation in 30 days
Higher than 71% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Nuclei detection template available
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I High
A Low

What should I do?

5 steps
  1. PATCH

    Upgrade to MLflow 3.10.0 where the FastAPI authentication middleware correctly handles non-/gateway/ routes.

  2. WORKAROUND (if upgrade blocked): Place MLflow behind an authenticated reverse proxy (nginx with auth_basic, Caddy with basicauth directive, or an API gateway) that enforces authentication before requests reach the MLflow server.

  3. NETWORK ISOLATION

    Restrict access to the MLflow server port via firewall rules to trusted CI/CD runners and data science workstations only — MLflow should never be internet-facing.

  4. DETECTION

    Audit server access logs for unauthenticated requests to /ajax-api/3.0/jobs/ and /v1/traces; unexpected HTTP 200 responses without Authorization headers indicate active exploitation.

  5. INTEGRITY CHECK

    If exposure is suspected, review experiment run history for unexpected job submissions and validate trace data integrity for active experiments.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - AI risk treatment
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-2652?

MLflow 3.9.0 and earlier contain a complete authentication bypass when deployed with `--app-name basic-auth` via uvicorn: FastAPI's permission middleware only guards `/gateway/` routes, leaving the Job API (`/ajax-api/3.0/jobs/*`) and OpenTelemetry trace ingestion (`/v1/traces`) entirely open to unauthenticated requests. Any attacker with network access to an exposed MLflow server can submit arbitrary jobs, read experiment results and model metrics, cancel in-flight training runs, and inject poisoned trace data — all without credentials. The insidious aspect is that operators who explicitly enabled authentication believe they are protected; this is a silent security regression caused by the Flask-to-FastAPI migration mismatch. Upgrade to MLflow 3.10.0 immediately; if patching is blocked, isolate the MLflow server behind an authenticated reverse proxy or firewall and audit `/ajax-api/3.0/jobs/` and `/v1/traces` access logs for unauthorized activity.

Is CVE-2026-2652 actively exploited?

No confirmed active exploitation of CVE-2026-2652 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2652?

1. PATCH: Upgrade to MLflow 3.10.0 where the FastAPI authentication middleware correctly handles non-`/gateway/` routes. 2. WORKAROUND (if upgrade blocked): Place MLflow behind an authenticated reverse proxy (nginx with auth_basic, Caddy with basicauth directive, or an API gateway) that enforces authentication before requests reach the MLflow server. 3. NETWORK ISOLATION: Restrict access to the MLflow server port via firewall rules to trusted CI/CD runners and data science workstations only — MLflow should never be internet-facing. 4. DETECTION: Audit server access logs for unauthenticated requests to `/ajax-api/3.0/jobs/` and `/v1/traces`; unexpected HTTP 200 responses without Authorization headers indicate active exploitation. 5. INTEGRITY CHECK: If exposure is suspected, review experiment run history for unexpected job submissions and validate trace data integrity for active experiments.

What systems are affected by CVE-2026-2652?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model training pipelines, experiment tracking systems, model development workflows, CI/CD-integrated ML pipelines.

What is the CVSS score for CVE-2026-2652?

CVE-2026-2652 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 1.50%.

What is the AI security impact?

Affected AI Architectures

MLOps pipelinesmodel training pipelinesexperiment tracking systemsmodel development workflowsCI/CD-integrated ML pipelines

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0031 Erode AI Model Integrity
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.

Exploitation Scenario

An attacker conducting internal network reconnaissance identifies a MLflow server on port 5000 running mlflow 3.9.0 with `--app-name basic-auth` configured. Knowing that auth is enabled, they probe non-gateway routes and discover that `GET /ajax-api/3.0/jobs/list` returns a 200 with full job metadata — no credentials required. The attacker then enumerates all active training runs via the Jobs API, extracts model performance metrics and dataset artifact URIs, and submits a malicious job via `POST /ajax-api/3.0/jobs/create` pointing to an attacker-controlled script. Simultaneously, they POST to `/v1/traces` to inject falsified observability data into ongoing experiments, manipulating the accuracy metrics visible to the ML engineering team. The entire compromise happens over HTTP with no exploitation tooling beyond curl.

Weaknesses (CWE)

CWE-305 — Authentication Bypass by Primary Weakness: The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Timeline

Published
May 15, 2026
Last Modified
May 21, 2026
First Seen
May 15, 2026

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2026/CVE-2026-2652.yaml -u https://target.example.com

Related Vulnerabilities