CVE-2026-2652: Authentication Bypass in mlflow/mlflow
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2026-2652?
CVE-2026-2652 has been classified as a high-severity vulnerability due to the potential for unauthenticated access.
How do I fix CVE-2026-2652?
To mitigate CVE-2026-2652, upgrade mlflow to version 3.9.1 or later to ensure authentication is properly enforced.
What specific software versions are affected by CVE-2026-2652?
CVE-2026-2652 affects mlflow versions up to and including 3.9.0.
What types of access does CVE-2026-2652 allow?
CVE-2026-2652 allows unauthenticated access to certain FastAPI routes when specific server settings are enabled.
Is authentication always required to access mlflow with CVE-2026-2652?
No, CVE-2026-2652 indicates that unauthenticated access can occur even when authentication is configured, under certain conditions.