CVE-2025-15381 Overview
A broken access control vulnerability exists in MLflow when the basic-auth app is enabled. The tracing and assessment endpoints lack proper permission validators, allowing any authenticated user—including those with NO_PERMISSIONS on an experiment—to read trace information and create assessments for traces they should not have access to. This vulnerability impacts both confidentiality through exposure of trace metadata and integrity by permitting unauthorized creation of assessments.
Critical Impact
Authenticated users can bypass permission controls to access sensitive trace data and create unauthorized assessments in MLflow deployments using basic-auth authentication.
Affected Products
- MLflow (latest version) with basic-auth app enabled
- Deployments using mlflow server --app-name=basic-auth
Discovery Timeline
- 2026-03-27 - CVE CVE-2025-15381 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2025-15381
Vulnerability Analysis
This vulnerability stems from missing authorization checks on specific API endpoints within MLflow's basic authentication module. When MLflow is deployed with the basic-auth application enabled via mlflow server --app-name=basic-auth, the server enforces authentication but fails to properly validate user permissions for tracing and assessment operations.
The flaw allows any authenticated user to access trace information from experiments regardless of their assigned permission level. Even users explicitly configured with NO_PERMISSIONS on an experiment can read trace metadata and create assessments. This represents a significant breach of the principle of least privilege and violates the expected access control model.
The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), as it enables information disclosure beyond intended authorization boundaries.
Root Cause
The root cause is the absence of permission validators on tracing and assessment API endpoints. While other MLflow endpoints properly check user permissions against experiment access controls, these specific endpoints were implemented without corresponding authorization checks, creating an inconsistent security posture within the application.
Attack Vector
An attacker with any valid authentication credentials to the MLflow server can exploit this vulnerability remotely over the network. The attack requires low privileges (any authenticated user) and no user interaction. The exploitation path involves:
- Authenticating to the MLflow server using any valid credentials
- Making direct API requests to tracing endpoints to enumerate and read trace data from experiments
- Creating unauthorized assessments for traces belonging to experiments the attacker should not have access to
The vulnerability can be exploited through standard HTTP requests to the affected API endpoints. Technical details regarding the specific endpoints and request formats can be found in the Huntr vulnerability bounty report.
Detection Methods for CVE-2025-15381
Indicators of Compromise
- Unexpected API requests to tracing endpoints from users with limited or no experiment permissions
- Trace data access logs showing reads by users not assigned to the associated experiments
- New assessments created by users without proper experiment access rights
- Anomalous patterns in authentication logs followed by tracing API activity
Detection Strategies
- Implement audit logging for all tracing and assessment API endpoint access
- Monitor for users accessing trace data outside their authorized experiment scope
- Review MLflow access logs for permission violations on trace-related operations
- Configure alerts for assessment creation by users with NO_PERMISSIONS roles
Monitoring Recommendations
- Enable verbose logging on MLflow server instances using basic-auth
- Correlate authentication events with subsequent API activity to identify unauthorized access patterns
- Implement network-level monitoring for unusual request volumes to tracing endpoints
- Regularly audit user permissions and compare against actual API access patterns
How to Mitigate CVE-2025-15381
Immediate Actions Required
- Audit existing MLflow deployments using --app-name=basic-auth for potential unauthorized access
- Review trace data and assessments for signs of unauthorized creation or access
- Implement network-level access controls to restrict MLflow API access to trusted users and systems
- Consider temporarily disabling tracing functionality if sensitive data is at risk until a patch is available
Patch Information
No official patch information is currently available in the CVE data. Monitor the official MLflow repository and security advisories for updates. Additional vulnerability details are available through the Huntr vulnerability bounty report.
Workarounds
- Deploy MLflow behind a reverse proxy with additional access control layers
- Implement network segmentation to limit which users can reach MLflow server endpoints
- Use application-level firewall rules to restrict access to tracing and assessment API paths
- Consider alternative authentication mechanisms if basic-auth cannot be properly secured
# Example: Restrict access to MLflow tracing endpoints via nginx reverse proxy
location ~ ^/api/2.0/mlflow/(traces|assessments) {
# Deny access or implement additional authorization
deny all;
# Or restrict to specific IP ranges
# allow 10.0.0.0/8;
# deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
