PatchSiren cyber security CVE debrief

CVE-2026-2652 Lfprojects CVE debrief

CVE-2026-2652 is a high-severity authentication bypass in mlflow/mlflow. When MLflow is started with authentication enabled using `--app-name basic-auth` and served through uvicorn, the FastAPI permission middleware only protects `/gateway/` routes. Other routes, including the Job API and OpenTelemetry trace ingestion, can remain exposed without authentication. In practical terms, an unauthenticated remote attacker may be able to submit jobs, read results, cancel running jobs, and inject trace data. The issue is fixed in MLflow 3.10.0.

Vendor: Lfprojects
Product: Mlflow
CVSS: HIGH 8.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-15
Original CVE updated: 2026-05-18
Advisory published: 2026-05-15
Advisory updated: 2026-05-18

Who should care

Administrators and platform teams running MLflow 3.9.0 or earlier, especially deployments using `--app-name basic-auth` with uvicorn/ASGI and any environment exposing job-management or trace-ingestion endpoints.

Technical summary

According to the published advisory and NVD record, the flaw is caused by an architectural mismatch between Flask- and FastAPI-based authentication handling. The `_find_fastapi_validator()` logic does not enforce auth outside `/gateway/` routes, leaving endpoints such as `/ajax-api/3.0/jobs/*` and `/v1/traces` unprotected. NVD lists the issue as network-exploitable with no privileges or user interaction required, and assigns CVSS 3.0 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L` (8.6, High). The advisory source associates the issue with CWE-305.

Defensive priority

High. The bug allows unauthenticated access to operational APIs in affected deployments, creating immediate risk of unauthorized job execution/control and trace injection until upgraded.

Recommended defensive actions

Upgrade MLflow to 3.10.0 or later.
If immediate upgrade is not possible, treat affected deployments as exposed and restrict network access to trusted sources only.
Verify whether the instance is using `--app-name basic-auth` with uvicorn/ASGI and assume job and trace endpoints may be unauthenticated on vulnerable versions.
Review access to `/ajax-api/3.0/jobs/*` and `/v1/traces` on any affected service.
Monitor for unexpected job submissions, job cancellations, and unusual trace-ingestion activity.
Confirm the remediation in the vendor patch reference before reopening external access.

Evidence notes

NVD marks the vulnerable CPE as `lfprojects:mlflow` up to but not including 3.10.0 and records CVSS 3.0 `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L` with analyzed status. The vulnerability description states that FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving the Job API and OpenTelemetry trace API exposed in the affected deployment pattern. The supplied official and vendor references include the CVE record, the NVD detail page, the source item from the NVD API, the MLflow GitHub commit tagged as a patch, and the Huntr advisory reference. No CISA KEV entry was provided in the supplied enrichment data.

Official resources

CVE-2026-2652 CVE record
CVE.org
CVE-2026-2652 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Third Party Advisory

Publicly disclosed in the CVE record on 2026-05-15 and updated in NVD on 2026-05-18. The supplied data does not indicate a CISA KEV listing.