MLflow: AI Gateway leaks cloud credentials via env injection — AWAITING NVD (CVE-2026-4035)

CISO Take

MLflow's AI Gateway resolves $ENV_VAR references in secret api_key fields and forwards the plaintext values to any configured upstream api_base endpoint — meaning an attacker who controls that endpoint silently receives server-side cloud credentials on every gateway request. The severity is compounded by the fact that default MLflow deployments require no authentication, making this exploitable by any unauthenticated actor who can reach the API without a single credential. In practice, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY commonly exist in MLflow server environments with broad write access to artifact stores; once exfiltrated, those credentials enable artifact poisoning in S3 or cloud blob storage that propagates into downstream training jobs and inference pipelines as cross-boundary code execution. Patch to MLflow 3.11.0 immediately; if patching must be delayed, enable basic-auth, audit all Gateway secret configs for $ENV_VAR references, and rotate any cloud credentials present in the MLflow server's environment.

Sources: NVD GitHub Advisory ATLAS huntr.com

What is the risk?

High severity despite the absence of a formal CVSS score. The exploitation bar is trivial in default deployments — no credentials required, only API access to the Gateway endpoint. MLflow servers in enterprise ML environments routinely hold broad cloud IAM credentials with write access to artifact stores, expanding the blast radius well beyond simple credential theft to full pipeline compromise. The chained impact — credential exfiltration leading to artifact poisoning leading to downstream code execution — makes this a multi-stage supply chain risk that warrants immediate action regardless of CVSS availability.

Attack Kill Chain

Initial Access

Attacker accesses the MLflow AI Gateway API without credentials in default deployments, or as a low-privileged authenticated user in basic-auth configurations.

AML.T0049

Credential Trigger

Attacker creates or modifies a Gateway route setting api_key to $AWS_SECRET_ACCESS_KEY and api_base to an attacker-controlled HTTP listener.

AML.T0106

Exfiltration

MLflow resolves the environment variable at runtime and transmits the plaintext cloud credential in an authentication header to the attacker's server.

AML.T0025

Artifact Poisoning

Attacker uses harvested cloud credentials to overwrite artifacts in connected S3 or cloud blob storage with malicious payloads, achieving code execution in downstream training and inference pipelines.

AML.T0010.002

Initial Access

Attacker accesses the MLflow AI Gateway API without credentials in default deployments, or as a low-privileged authenticated user in basic-auth configurations.

AML.T0049

Credential Trigger

Attacker creates or modifies a Gateway route setting api_key to $AWS_SECRET_ACCESS_KEY and api_base to an attacker-controlled HTTP listener.

AML.T0106

Exfiltration

MLflow resolves the environment variable at runtime and transmits the plaintext cloud credential in an authentication header to the attacker's server.

AML.T0025

Artifact Poisoning

Attacker uses harvested cloud credentials to overwrite artifacts in connected S3 or cloud blob storage with malicious payloads, achieving code execution in downstream training and inference pipelines.

AML.T0010.002

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
26.2K OpenSSF 5.6 646 dependents Pushed 4d ago 27% patched ~53d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

7 steps

Patch to MLflow 3.11.0 immediately — the fix prevents runtime $ENV_VAR resolution in Gateway secret fields.
If patching is delayed, audit all AI Gateway route configurations and remove any $ENV_VAR references from api_key fields.
Enable basic-auth on MLflow deployments — it is disabled by default.
Replace static cloud credentials in the MLflow server environment with instance roles or workload identity (IAM roles for EC2/ECS, Workload Identity for GKE) to eliminate the attack surface entirely.
Rotate AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and any other credentials that resided in the MLflow server's environment.
Review MLflow access and request logs for Gateway routes referencing unexpected or external api_base URLs.
Apply least-privilege IAM policies to all credentials used by MLflow — limit artifact store permissions to specific buckets and operations.

Classification

Data Extraction Auth Bypass Code Execution Framework API Inference AML.T0010.002 - Data AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain effectiveness of risk response activities

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-4035?

MLflow's AI Gateway resolves $ENV_VAR references in secret api_key fields and forwards the plaintext values to any configured upstream api_base endpoint — meaning an attacker who controls that endpoint silently receives server-side cloud credentials on every gateway request. The severity is compounded by the fact that default MLflow deployments require no authentication, making this exploitable by any unauthenticated actor who can reach the API without a single credential. In practice, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY commonly exist in MLflow server environments with broad write access to artifact stores; once exfiltrated, those credentials enable artifact poisoning in S3 or cloud blob storage that propagates into downstream training jobs and inference pipelines as cross-boundary code execution. Patch to MLflow 3.11.0 immediately; if patching must be delayed, enable basic-auth, audit all Gateway secret configs for $ENV_VAR references, and rotate any cloud credentials present in the MLflow server's environment.

Is CVE-2026-4035 actively exploited?

No confirmed active exploitation of CVE-2026-4035 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-4035?

1. Patch to MLflow 3.11.0 immediately — the fix prevents runtime $ENV_VAR resolution in Gateway secret fields. 2. If patching is delayed, audit all AI Gateway route configurations and remove any $ENV_VAR references from api_key fields. 3. Enable basic-auth on MLflow deployments — it is disabled by default. 4. Replace static cloud credentials in the MLflow server environment with instance roles or workload identity (IAM roles for EC2/ECS, Workload Identity for GKE) to eliminate the attack surface entirely. 5. Rotate AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and any other credentials that resided in the MLflow server's environment. 6. Review MLflow access and request logs for Gateway routes referencing unexpected or external api_base URLs. 7. Apply least-privilege IAM policies to all credentials used by MLflow — limit artifact store permissions to specific buckets and operations.

What systems are affected by CVE-2026-4035?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, AI Gateway deployments, cloud artifact stores, training pipelines, model serving.

What is the CVSS score for CVE-2026-4035?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

MLOps platformsAI Gateway deploymentscloud artifact storestraining pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0010.002 Data

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 6.1.2, 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

Technical Details

Original Advisory

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.

Exploitation Scenario

An attacker identifies a publicly accessible MLflow instance — common since basic-auth is disabled by default. Using the AI Gateway API without any credentials, they create or modify a gateway route setting api_key to $AWS_SECRET_ACCESS_KEY and api_base to an HTTP server they control. On the next request routed through the gateway, MLflow resolves the environment variable and includes the actual AWS secret access key in the Authorization header sent to the attacker's server. The attacker captures both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, authenticates to the victim's S3 artifact store, and replaces a stored model checkpoint with a backdoored version containing serialized malicious code. The next automated training run or model promotion pipeline loads the poisoned artifact and executes the attacker's payload inside the victim's ML infrastructure, establishing persistent access.