CVE-2026-2734 — AWAITING NVD

CISO Take

MLflow's SearchModelVersions REST endpoint and GraphQL query bypass per-model authorization entirely when basic auth is enabled, allowing any authenticated user — including low-privilege service accounts or contractors — to enumerate model names, version descriptions, source URIs, and tags across the entire model registry. In multi-tenant MLflow deployments this translates directly to IP theft risk: a single compromised or malicious account can silently map your entire AI portfolio, including training artifact storage paths that expose infrastructure topology and active R&D projects. There is no public exploit and it is not in CISA KEV, but the attack requires nothing beyond a valid login and a single API call, making it trivially executable by any insider or compromised account with zero technical sophistication. Upgrade to MLflow 3.10.0 immediately; if that is not possible, restrict basic auth access to strictly necessary accounts and audit SearchModelVersions call logs for unexpected principals.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

MEDIUM. Attack complexity is minimal — any authenticated user exploits this with a single API or GraphQL call, requiring no elevated privileges or specialized knowledge. Impact is limited to information disclosure rather than code execution or data modification, which constrains severity. Risk is materially elevated in multi-tenant or enterprise deployments where the model registry contains proprietary AI artifacts, training data URIs pointing to internal storage, or competitive R&D metadata. No public exploit exists and the CVE is absent from CISA KEV. Practical exposure depends entirely on deployment posture: isolated internal MLflow instances with fully trusted users present low residual risk, whereas instances accessible to contractors, partners, or with network exposure to broader enterprise segments warrant immediate remediation.

Attack Kill Chain

Initial Access

Attacker authenticates to MLflow using any valid low-privilege account — a contractor, data scientist with scoped permissions, or compromised CI/CD service account.

AML.T0012

Authorization Bypass

Attacker calls the SearchModelVersions REST API or GraphQL endpoint; absent authorization checks in BEFORE_REQUEST_VALIDATORS return all model versions across the entire registry regardless of the caller's permission scope.

AML.T0049

AI Artifact Discovery

Attacker paginates through the unrestricted response to enumerate all model names, versions, source URIs exposing artifact storage paths, tags, and descriptions across all registered models.

AML.T0007

Impact

Exfiltrated metadata enables downstream attacks — targeting exposed artifact storage URIs to steal or poison model binaries, mapping training pipelines for data poisoning, or packaging AI IP as competitive intelligence.

AML.T0035

Initial Access

Attacker authenticates to MLflow using any valid low-privilege account — a contractor, data scientist with scoped permissions, or compromised CI/CD service account.

AML.T0012

Authorization Bypass

Attacker calls the SearchModelVersions REST API or GraphQL endpoint; absent authorization checks in BEFORE_REQUEST_VALIDATORS return all model versions across the entire registry regardless of the caller's permission scope.

AML.T0049

AI Artifact Discovery

Attacker paginates through the unrestricted response to enumerate all model names, versions, source URIs exposing artifact storage paths, tags, and descriptions across all registered models.

AML.T0007

Impact

Exfiltrated metadata enables downstream attacks — targeting exposed artifact storage URIs to steal or poison model binaries, mapping training pipelines for data poisoning, or packaging AI IP as competitive intelligence.

AML.T0035

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
26.0K OpenSSF 4.6 636 dependents Pushed 4d ago 25% patched ~58d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade MLflow to version 3.10.0 where authorization checks have been added to BEFORE_REQUEST_VALIDATORS, AFTER_REQUEST_HANDLERS, and GraphQLAuthorizationMiddleware.PROTECTED_FIELDS.
If immediate upgrade is not feasible, implement network-level controls (firewall rules, VPN enforcement) to restrict who can reach the MLflow server, and reduce the surface of valid low-privilege accounts.
Audit MLflow access logs for unexpected or anomalous calls to /api/2.0/mlflow/model-versions/search or GraphQL mlflowSearchModelVersions from non-admin or non-owner principals — particularly high-volume enumeration patterns.
Review the model registry for sensitive metadata embedded in tags, descriptions, or source URIs (internal storage paths, dataset references, infrastructure identifiers) and sanitize before broader access is confirmed.
For multi-tenant environments, evaluate migration to MLflow's ACL-based access control model with scoped service accounts per team as a defense-in-depth layer beyond the patch.

Classification

Auth Bypass Data Extraction Privacy Violation Framework Model AML.T0007 - Discover AI Artifacts AML.T0012 - Valid Accounts AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.5 - AI system access control

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-2734?

MLflow's SearchModelVersions REST endpoint and GraphQL query bypass per-model authorization entirely when basic auth is enabled, allowing any authenticated user — including low-privilege service accounts or contractors — to enumerate model names, version descriptions, source URIs, and tags across the entire model registry. In multi-tenant MLflow deployments this translates directly to IP theft risk: a single compromised or malicious account can silently map your entire AI portfolio, including training artifact storage paths that expose infrastructure topology and active R&D projects. There is no public exploit and it is not in CISA KEV, but the attack requires nothing beyond a valid login and a single API call, making it trivially executable by any insider or compromised account with zero technical sophistication. Upgrade to MLflow 3.10.0 immediately; if that is not possible, restrict basic auth access to strictly necessary accounts and audit SearchModelVersions call logs for unexpected principals.

Is CVE-2026-2734 actively exploited?

No confirmed active exploitation of CVE-2026-2734 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2734?

1. Upgrade MLflow to version 3.10.0 where authorization checks have been added to BEFORE_REQUEST_VALIDATORS, AFTER_REQUEST_HANDLERS, and GraphQLAuthorizationMiddleware.PROTECTED_FIELDS. 2. If immediate upgrade is not feasible, implement network-level controls (firewall rules, VPN enforcement) to restrict who can reach the MLflow server, and reduce the surface of valid low-privilege accounts. 3. Audit MLflow access logs for unexpected or anomalous calls to /api/2.0/mlflow/model-versions/search or GraphQL mlflowSearchModelVersions from non-admin or non-owner principals — particularly high-volume enumeration patterns. 4. Review the model registry for sensitive metadata embedded in tags, descriptions, or source URIs (internal storage paths, dataset references, infrastructure identifiers) and sanitize before broader access is confirmed. 5. For multi-tenant environments, evaluate migration to MLflow's ACL-based access control model with scoped service accounts per team as a defense-in-depth layer beyond the patch.

What systems are affected by CVE-2026-2734?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registries, multi-tenant ML pipelines, training pipelines, model serving.

What is the CVSS score for CVE-2026-2734?

No CVSS score has been assigned yet.

Technical Details

NVD Description

In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of `SearchModelVersions` in the `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS` for the REST API, and its omission from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS` for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0.

Exploitation Scenario

An attacker with any valid MLflow account — a data scientist with read-only access to a single project, a contractor account, or a compromised service account from a CI/CD pipeline — authenticates to the MLflow server and issues a SearchModelVersions REST call: GET /api/2.0/mlflow/model-versions/search with an empty or wildcard filter. Despite holding no explicit cross-model permissions, the missing authorization check returns all model versions across the entire registry. The attacker paginates through results, extracting model names (revealing active AI projects and product roadmap intelligence), source URIs (exposing S3 buckets, GCS paths, or internal artifact stores used for training), tags (often containing dataset names, experiment context, or business metadata), and version descriptions. This reconnaissance directly enables follow-on attacks: targeting the exposed artifact storage paths to exfiltrate or poison model binaries, identifying training pipelines for data poisoning attacks, or packaging the exfiltrated AI IP for competitive intelligence or sale.