AI Threat Alert

CVE-2026-3198: MLflow: auth bypass exposes gateway secrets and keys

AWAITING NVD
Published June 2, 2026
CISO Take

MLflow 3.9.0's basic-auth plugin omits authorization checks for three Gateway API list endpoints — ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions — meaning any authenticated user, regardless of assigned role, can enumerate all stored API keys, endpoint configurations, and proprietary model definitions. In production MLOps environments where the MLflow Gateway proxies requests to LLM providers like OpenAI or Anthropic, this collapses the intended RBAC model: a single compromised or malicious low-privilege account yields all secrets needed to directly query those providers outside of any internal control plane. No CVSS score or EPSS data is yet available and the vulnerability is not in CISA KEV, but the trivially low exploitation bar — authenticated API calls only — elevates practical risk wherever gateway secrets contain live LLM API keys. Rotate all MLflow Gateway secrets immediately, restrict network access to the Gateway API to trusted networks, and monitor for patch availability in the MLflow GitHub releases.

Sources: NVD ATLAS huntr.com

What is the risk?

Medium-High practical risk despite absent CVSS scoring. Exploitation requires only a valid MLflow account — no privilege escalation, no novel exploit chain, no special tooling. The critical factor is blast radius: organizations using MLflow Gateway to centralize LLM API key management (a common pattern for cost control and observability) face complete secret exfiltration from a single low-privilege account. Multi-tenant or shared MLflow deployments used across data science teams dramatically increase the exposure surface, as any user on the platform becomes a viable threat actor.

Attack Kill Chain

Initial Access
Attacker obtains any valid MLflow account via credential stuffing, phishing, or a compromised CI/CD service account — no elevated privileges required.
AML.T0012
Authorization Bypass
Attacker sends authenticated requests to the three unprotected Gateway endpoints; missing BEFORE_REQUEST_HANDLERS entries mean no permission check fires and the server returns data to any authenticated session.
AML.T0049
Credential and Config Harvesting
Attacker extracts all stored LLM provider API keys via ListGatewaySecretInfos, maps the complete inference infrastructure via ListGatewayEndpoints, and retrieves proprietary model definitions via ListGatewayModelDefinitions.
AML.T0055
Impact
Harvested API keys enable direct unauthorized access to LLM providers outside organizational controls, enabling cost abuse, prompt exfiltration, and exposure of proprietary AI model intellectual property.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
mlflow pip No patch
26.2K OpenSSF 5.6 646 dependents Pushed 4d ago 27% patched ~53d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.0%
chance of exploitation in 30 days
Higher than 7% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps

  1. Upgrade to a patched MLflow release as soon as available — track the GitHub releases page and the huntr.com advisory (https://huntr.com/bounties/e57db731-97d3-40c3-a429-831ee959807f).

  2. Immediately rotate all API keys stored as MLflow Gateway secrets; re-issue only to services that require them with scoped permissions.

  3. As an immediate workaround, restrict network-level access to the MLflow Gateway API endpoints (/gateway/*) to trusted IP ranges using a reverse proxy or network policy — this does not fix the authorization gap but significantly reduces exposure surface.

  4. Audit Gateway API access logs for ListGatewaySecretInfos and ListGatewayEndpoints calls made by non-admin users since the MLflow 3.9.0 deployment date.

  5. Evaluate migrating API key storage to a dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager) rather than MLflow Gateway secrets, regardless of this CVE, to reduce the blast radius of future MLflow vulnerabilities.

Classification

Auth Bypass Data Extraction Framework API AML.T0007 AML.T0012 AML.T0025 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.6.1 - Information Security in AI Systems
NIST AI RMF
GOVERN 1.2 - Accountability and Oversight
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-3198?

MLflow 3.9.0's basic-auth plugin omits authorization checks for three Gateway API list endpoints — ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions — meaning any authenticated user, regardless of assigned role, can enumerate all stored API keys, endpoint configurations, and proprietary model definitions. In production MLOps environments where the MLflow Gateway proxies requests to LLM providers like OpenAI or Anthropic, this collapses the intended RBAC model: a single compromised or malicious low-privilege account yields all secrets needed to directly query those providers outside of any internal control plane. No CVSS score or EPSS data is yet available and the vulnerability is not in CISA KEV, but the trivially low exploitation bar — authenticated API calls only — elevates practical risk wherever gateway secrets contain live LLM API keys. Rotate all MLflow Gateway secrets immediately, restrict network access to the Gateway API to trusted networks, and monitor for patch availability in the MLflow GitHub releases.

Is CVE-2026-3198 actively exploited?

No confirmed active exploitation of CVE-2026-3198 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-3198?

1. Upgrade to a patched MLflow release as soon as available — track the GitHub releases page and the huntr.com advisory (https://huntr.com/bounties/e57db731-97d3-40c3-a429-831ee959807f). 2. Immediately rotate all API keys stored as MLflow Gateway secrets; re-issue only to services that require them with scoped permissions. 3. As an immediate workaround, restrict network-level access to the MLflow Gateway API endpoints (/gateway/*) to trusted IP ranges using a reverse proxy or network policy — this does not fix the authorization gap but significantly reduces exposure surface. 4. Audit Gateway API access logs for ListGatewaySecretInfos and ListGatewayEndpoints calls made by non-admin users since the MLflow 3.9.0 deployment date. 5. Evaluate migrating API key storage to a dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager) rather than MLflow Gateway secrets, regardless of this CVE, to reduce the blast radius of future MLflow vulnerabilities.

What systems are affected by CVE-2026-3198?

This vulnerability affects the following AI/ML architecture patterns: MLflow Gateway / AI Gateway deployments, MLOps platforms with multi-tenant access, LLM proxy and routing infrastructure, Model serving platforms, Centralized API key management for LLM providers.

What is the CVSS score for CVE-2026-3198?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

MLflow Gateway / AI Gateway deploymentsMLOps platforms with multi-tenant accessLLM proxy and routing infrastructureModel serving platformsCentralized API key management for LLM providers

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts
AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.1
NIST AI RMF: GOVERN 1.2
OWASP LLM Top 10: LLM06

Technical Details

Original Advisory

MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entries for `ListGatewaySecretInfos`, `ListGatewayEndpoints`, and `ListGatewayModelDefinitions`. This allows any authenticated user, regardless of their assigned permissions, to enumerate all gateway secrets, endpoints, and model definitions. This vulnerability exposes sensitive information, such as API keys, endpoint configurations, and proprietary model definitions, to unauthorized users.

Exploitation Scenario

An adversary with a low-privilege MLflow account — obtained via credential stuffing, phishing a junior data scientist, or compromising a CI/CD service account — authenticates to the MLflow Gateway API and issues a GET request to the ListGatewaySecretInfos endpoint. The request succeeds because the authorization handler is simply absent from the BEFORE_REQUEST_HANDLERS dictionary in mlflow/server/auth/__init__.py. The attacker receives a full list of stored API keys for all configured LLM providers (OpenAI, Anthropic, Azure OpenAI, etc.). They also call ListGatewayEndpoints to map the complete inference infrastructure — which models are deployed, their routing rules, and base URLs — and ListGatewayModelDefinitions to extract proprietary fine-tuned model configurations. Armed with harvested API keys, the adversary directly accesses LLM providers outside organizational controls, exfiltrating sensitive prompts, incurring unexpected API costs, or pivoting to other services sharing the same credentials.

Weaknesses (CWE)

CWE-284 Primary

References

Timeline

Published
June 2, 2026
Last Modified
June 2, 2026
First Seen
June 2, 2026

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed