HIGH
Lfprojects
CVE published 2026-05-15
CVE-2026-2652
CVE-2026-2652 is a high-severity authentication bypass in mlflow/mlflow. When MLflow is started with authentication enabled using `--app-name basic-auth` and served through uvicorn, the FastAPI permission middleware only protects `/gateway/` routes. Other routes, including the Job API and OpenTelemetry trace ingestion, can remain exposed without authentication. In practical terms, an unauthenticated remot [truncated]