MEDIUM
mlflow
CVE published 2026-05-21
CVE-2026-2734
CVE-2026-2734 is an information-disclosure issue in MLflow versions up to 3.9.0. When basic authentication is enabled, the REST `SearchModelVersions` endpoint and the `mlflowSearchModelVersions` GraphQL query do not enforce the expected per-model authorization checks, allowing an authenticated user to enumerate model versions across all registered models. The exposed metadata can include model names, vers [truncated]