PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2734 mlflow CVE debrief

CVE-2026-2734 is an information-disclosure issue in MLflow versions up to 3.9.0. When basic authentication is enabled, the REST `SearchModelVersions` endpoint and the `mlflowSearchModelVersions` GraphQL query do not enforce the expected per-model authorization checks, allowing an authenticated user to enumerate model versions across all registered models. The exposed metadata can include model names, version descriptions, source URIs, tags, and similar details, which may be sensitive in multi-tenant environments. The issue is reported as resolved in MLflow 3.10.0.

Vendor
mlflow
Product
mlflow/mlflow
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

MLflow operators, platform teams running multi-tenant model registries, and security teams responsible for REST and GraphQL authorization controls should treat this as relevant, especially where authenticated users have limited but non-admin access.

Technical summary

The flaw stems from two authorization gaps described in the source record: `SearchModelVersions` was absent from the REST `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS`, and `mlflowSearchModelVersions` was omitted from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS`. As a result, authenticated users can query model-version listings without the intended per-model access checks, revealing metadata from models they should not be able to enumerate. The supplied CVSS vector indicates network exploitation with low attack complexity, low privileges, no user interaction, and high confidentiality impact.

Defensive priority

Medium. This is not a code-execution issue, but it can expose sensitive model metadata and ownership details across tenants. Priority increases if MLflow is exposed to many authenticated users or if registry metadata contains proprietary paths, names, or tags.

Recommended defensive actions

  • Upgrade MLflow to 3.10.0 or later.
  • Verify that the REST and GraphQL authorization paths enforce per-model checks for model-version listing endpoints.
  • Review whether basic authentication is being used to protect multi-tenant MLflow deployments and limit access accordingly.
  • Audit registry metadata for sensitive values that may have been exposed through enumeration.
  • Monitor access logs for unusual model-version enumeration requests and validate that authorization failures are handled consistently.
  • Test any local customizations or forks for the same missing-validator / missing-protected-field pattern.

Evidence notes

Timing context: the CVE was published and modified on 2026-05-21T05:16:22.723Z. The NVD record cites a CVSS v3.0 vector of `CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` and CWE-284. Source references in the NVD record point to a GitHub commit in `mlflow/mlflow` and a Huntr bounty page, and the source description states the issue is fixed in version 3.10.0. No exploit instructions are included here.

Official resources

Publicly disclosed through the CVE/NVD record on 2026-05-21, with upstream remediation referenced in the supplied sources and the issue reported as fixed in MLflow 3.10.0.