CVE-2026-2734: MLflow: missing authz exposes all model versions

GHSA-w5xq-c4pf-ghq7 MEDIUM CISA: TRACK*
Published May 21, 2026
CISO Take

MLflow's SearchModelVersions REST endpoint and GraphQL query bypass per-model authorization entirely when basic auth is enabled, allowing any authenticated user — including low-privilege service accounts or contractors — to enumerate model names, version descriptions, source URIs, and tags across the entire model registry. In multi-tenant MLflow deployments this translates directly to IP theft risk: a single compromised or malicious account can silently map your entire AI portfolio, including training artifact storage paths that expose infrastructure topology and active R&D projects. There is no public exploit and it is not in CISA KEV, but the attack requires nothing beyond a valid login and a single API call, making it trivially executable by any insider or compromised account with zero technical sophistication. Upgrade to MLflow 3.10.0 immediately; if that is not possible, restrict basic auth access to strictly necessary accounts and audit SearchModelVersions call logs for unexpected principals.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

MEDIUM. Attack complexity is minimal — any authenticated user exploits this with a single API or GraphQL call, requiring no elevated privileges or specialized knowledge. Impact is limited to information disclosure rather than code execution or data modification, which constrains severity. Risk is materially elevated in multi-tenant or enterprise deployments where the model registry contains proprietary AI artifacts, training data URIs pointing to internal storage, or competitive R&D metadata. No public exploit exists and the CVE is absent from CISA KEV. Practical exposure depends entirely on deployment posture: isolated internal MLflow instances with fully trusted users present low residual risk, whereas instances accessible to contractors, partners, or with network exposure to broader enterprise segments warrant immediate remediation.

How does the attack unfold?

Initial Access
Attacker authenticates to MLflow using any valid low-privilege account — a contractor, data scientist with scoped permissions, or compromised CI/CD service account.
AML.T0012
Authorization Bypass
Attacker calls the SearchModelVersions REST API or GraphQL endpoint; absent authorization checks in BEFORE_REQUEST_VALIDATORS return all model versions across the entire registry regardless of the caller's permission scope.
AML.T0049
AI Artifact Discovery
Attacker paginates through the unrestricted response to enumerate all model names, versions, source URIs exposing artifact storage paths, tags, and descriptions across all registered models.
AML.T0007
Impact
Exfiltrated metadata enables downstream attacks — targeting exposed artifact storage URIs to steal or poison model binaries, mapping training pipelines for data poisoning, or packaging AI IP as competitive intelligence.
AML.T0035

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip < 3.10.0 3.10.0
26.9K OpenSSF 5.4 660 dependents Pushed 5d ago 31% patched ~76d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 35% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps
  1. Upgrade MLflow to version 3.10.0 where authorization checks have been added to BEFORE_REQUEST_VALIDATORS, AFTER_REQUEST_HANDLERS, and GraphQLAuthorizationMiddleware.PROTECTED_FIELDS.

  2. If immediate upgrade is not feasible, implement network-level controls (firewall rules, VPN enforcement) to restrict who can reach the MLflow server, and reduce the surface of valid low-privilege accounts.

  3. Audit MLflow access logs for unexpected or anomalous calls to /api/2.0/mlflow/model-versions/search or GraphQL mlflowSearchModelVersions from non-admin or non-owner principals — particularly high-volume enumeration patterns.

  4. Review the model registry for sensitive metadata embedded in tags, descriptions, or source URIs (internal storage paths, dataset references, infrastructure identifiers) and sanitize before broader access is confirmed.

  5. For multi-tenant environments, evaluate migration to MLflow's ACL-based access control model with scoped service accounts per team as a defense-in-depth layer beyond the patch.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.5 - AI system access control
NIST AI RMF
MANAGE 2.2 - Mechanisms to respond to AI risks
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-2734?

MLflow's SearchModelVersions REST endpoint and GraphQL query bypass per-model authorization entirely when basic auth is enabled, allowing any authenticated user — including low-privilege service accounts or contractors — to enumerate model names, version descriptions, source URIs, and tags across the entire model registry. In multi-tenant MLflow deployments this translates directly to IP theft risk: a single compromised or malicious account can silently map your entire AI portfolio, including training artifact storage paths that expose infrastructure topology and active R&D projects. There is no public exploit and it is not in CISA KEV, but the attack requires nothing beyond a valid login and a single API call, making it trivially executable by any insider or compromised account with zero technical sophistication. Upgrade to MLflow 3.10.0 immediately; if that is not possible, restrict basic auth access to strictly necessary accounts and audit SearchModelVersions call logs for unexpected principals.

Is CVE-2026-2734 actively exploited?

No confirmed active exploitation of CVE-2026-2734 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2734?

1. Upgrade MLflow to version 3.10.0 where authorization checks have been added to BEFORE_REQUEST_VALIDATORS, AFTER_REQUEST_HANDLERS, and GraphQLAuthorizationMiddleware.PROTECTED_FIELDS. 2. If immediate upgrade is not feasible, implement network-level controls (firewall rules, VPN enforcement) to restrict who can reach the MLflow server, and reduce the surface of valid low-privilege accounts. 3. Audit MLflow access logs for unexpected or anomalous calls to /api/2.0/mlflow/model-versions/search or GraphQL mlflowSearchModelVersions from non-admin or non-owner principals — particularly high-volume enumeration patterns. 4. Review the model registry for sensitive metadata embedded in tags, descriptions, or source URIs (internal storage paths, dataset references, infrastructure identifiers) and sanitize before broader access is confirmed. 5. For multi-tenant environments, evaluate migration to MLflow's ACL-based access control model with scoped service accounts per team as a defense-in-depth layer beyond the patch.

What systems are affected by CVE-2026-2734?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registries, multi-tenant ML pipelines, training pipelines, model serving.

What is the CVSS score for CVE-2026-2734?

CVE-2026-2734 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.44%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel registriesmulti-tenant ML pipelinestraining pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts
AML.T0012 Valid Accounts
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.5
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of `SearchModelVersions` in the `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS` for the REST API, and its omission from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS` for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0.

Exploitation Scenario

An attacker with any valid MLflow account — a data scientist with read-only access to a single project, a contractor account, or a compromised service account from a CI/CD pipeline — authenticates to the MLflow server and issues a SearchModelVersions REST call: GET /api/2.0/mlflow/model-versions/search with an empty or wildcard filter. Despite holding no explicit cross-model permissions, the missing authorization check returns all model versions across the entire registry. The attacker paginates through results, extracting model names (revealing active AI projects and product roadmap intelligence), source URIs (exposing S3 buckets, GCS paths, or internal artifact stores used for training), tags (often containing dataset names, experiment context, or business metadata), and version descriptions. This reconnaissance directly enables follow-on attacks: targeting the exposed artifact storage paths to exfiltrate or poison model binaries, identifying training pipelines for data poisoning attacks, or packaging the exfiltrated AI IP for competitive intelligence or sale.

Weaknesses (CWE)

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  • [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

Published
May 21, 2026
Last Modified
June 12, 2026
First Seen
May 21, 2026

Related Vulnerabilities