๐Ÿ” CVE Alert

CVE-2026-8147

HIGH 8.1

Authorization Bypass in mlflow/mlflow

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.

CWE CWE-284
Vendor mlflow
Product mlflow/mlflow
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for mlflow mlflow/mlflow

Be the first to know when new high vulnerabilities affecting mlflow mlflow/mlflow are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Versions

mlflow / mlflow/mlflow
unspecified < 3.14.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
huntr.com: https://huntr.com/bounties/b00c3ddd-373e-492f-9bf0-41a28bb21ed5 github.com: https://github.com/mlflow/mlflow/commit/f9b1eb510478570609ef451984a255775aa4b937