mlflow Unauthenticated Access: FastAPI Routes Exposed in Versions < 3.10.0

/HIGH /CVSS 8.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityauthentication-bypasscwe-305
mlflow Unauthenticated Access: FastAPI Routes Exposed in Versions < 3.10.0

The National Vulnerability Database has detailed CVE-2026-2652, a critical authentication bypass affecting mlflow/mlflow versions 3.9.0 and earlier. This vulnerability allows unauthenticated access to specific FastAPI routes when the server is configured with basic authentication and served via uvicorn (ASGI). The core issue stems from an architectural oversight where the FastAPI permission middleware only enforces authentication on /gateway/ routes, leaving critical functionalities like the Job API (/ajax-api/3.0/jobs/*) and the OpenTelemetry trace ingestion API (/v1/traces) completely exposed.

This flaw enables unauthenticated remote attackers to submit jobs, retrieve job results, cancel ongoing jobs, and inject arbitrary trace data into experiments. The National Vulnerability Database attributes this to a failure in the _find_fastapi_validator() function to properly handle non-/gateway/ paths, resulting in a full authentication bypass. The vulnerability, rated with a CVSS score of 8.6 (HIGH), has been addressed in mlflow version 3.10.0.

This isn’t just a misconfiguration; it’s a design flaw that completely negates the intended security controls. Attackers can gain significant control over ML workflows and potentially manipulate data or disrupt operations without needing any credentials. The impact extends beyond just data exposure, allowing for operational sabotage and data integrity compromises.

What This Means For You

  • If your organization uses mlflow/mlflow with versions 3.9.0 or earlier, especially when served via uvicorn with basic authentication, you are exposed. Patch immediately to version 3.10.0. After patching, audit your mlflow job logs and OpenTelemetry traces for any unauthorized activity or anomalous entries prior to the fix. Assume compromise and investigate.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1552.001 Credentials In Files Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-2652 - Unauthenticated Access to MLflow Job API

Sigma YAML — free preview 
title: CVE-2026-2652 - Unauthenticated Access to MLflow Job API
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects unauthenticated POST requests to MLflow's Job API endpoints (`/ajax-api/3.0/jobs/*`). This bypasses authentication when MLflow is configured with basic auth and served via uvicorn, allowing attackers to submit, read, or cancel jobs.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-2652/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|startswith:
          - '/ajax-api/3.0/jobs/'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-2652 Auth Bypass mlflow/mlflow versions 3.9.0 and earlier
CVE-2026-2652 Auth Bypass FastAPI routes when server started with `--app-name basic-auth` and served via uvicorn (ASGI)
CVE-2026-2652 Auth Bypass Unprotected routes: /ajax-api/3.0/jobs/* (Job API)
CVE-2026-2652 Auth Bypass Unprotected routes: /v1/traces (OpenTelemetry trace ingestion API)
CVE-2026-2652 Auth Bypass Vulnerable function: _find_fastapi_validator() failing to handle non-/gateway/ paths

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 06:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the...

vulnerabilityCVEmedium-severitycwe-674
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 4 Sigma

CVE-2026-45248 — The GET /Api/V1/Demo/Registered-Users Endpoint That Authentication Bypass

CVE-2026-45248 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information....

vulnerabilityCVEmedium-severityauthentication-bypasscwe-306
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

ZITADEL LDAP Filter Injection Exposes Usernames, Attributes

CVE-2026-44671 — ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity...

vulnerabilityCVEhigh-severityauthentication-bypasscwe-90
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma