CVE-2026-2734 Overview
CVE-2026-2734 is a broken access control vulnerability [CWE-284] in MLflow versions up to and including 3.9.0. The SearchModelVersions REST API endpoint and the corresponding mlflowSearchModelVersions GraphQL query do not enforce per-model authorization when basic authentication is enabled. Any authenticated user can enumerate every model version across all registered models, bypassing the permission model. Exposed metadata includes model names, version descriptions, source URIs, and tags. In multi-tenant MLflow deployments, this allows low-privileged tenants to discover proprietary model assets owned by other tenants. The MLflow maintainers resolved the issue in version 3.10.0.
Critical Impact
Authenticated users with minimal privileges can enumerate sensitive metadata for every registered model version, exposing proprietary machine learning assets in multi-tenant environments.
Affected Products
- MLflow versions up to and including 3.9.0
- MLflow deployments with basic authentication enabled
- MLflow REST API and GraphQL interfaces exposing model registry endpoints
Discovery Timeline
- 2026-05-21 - CVE-2026-2734 published to NVD
- 2026-05-21 - Last updated in NVD database
Technical Details for CVE-2026-2734
Vulnerability Analysis
The flaw resides in the MLflow authentication plugin at mlflow/server/auth/__init__.py. MLflow registers per-endpoint authorization hooks through two dispatch tables, BEFORE_REQUEST_VALIDATORS and AFTER_REQUEST_HANDLERS. These hooks filter requests and responses based on the caller's permission for a specific registered model. The SearchModelVersions REST handler was never added to either dispatch table, so requests bypass the permission check entirely. The GraphQL path has an equivalent gap: the mlflowSearchModelVersions field is missing from GraphQLAuthorizationMiddleware.PROTECTED_FIELDS. As a result, the middleware does not invoke authorization logic for that query, and the resolver returns model versions from all owners.
Root Cause
The root cause is a missing authorization entry rather than a flawed check. MLflow's basic auth plugin uses an allowlist-style registration model where each protected endpoint must be explicitly enrolled. SearchModelVersions was omitted from both the REST validator map and the GraphQL PROTECTED_FIELDS set, leaving the endpoint unguarded.
Attack Vector
An attacker needs only valid credentials for any account on the MLflow server. The attacker sends a GET request to the SearchModelVersions REST endpoint or issues the mlflowSearchModelVersions GraphQL query. The server returns model version records for every registered model, including those the user has no read permission on.
GetModelVersionDownloadUri,
GetRegisteredModel,
RenameRegisteredModel,
+ SearchModelVersions,
SearchRegisteredModels,
SetModelVersionTag,
SetRegisteredModelAlias,
Source: GitHub Commit 6989066. The patch adds SearchModelVersions to the imports used when registering authorization handlers, then wires it into the per-user permission filter so results are scoped to models the caller can read.
Detection Methods for CVE-2026-2734
Indicators of Compromise
- High-volume requests to /api/2.0/mlflow/model-versions/search from a single authenticated user account.
- GraphQL queries referencing mlflowSearchModelVersions from accounts that do not own registered models.
- Access log entries showing successful SearchModelVersions responses to users whose other model-registry calls return 403.
Detection Strategies
- Audit MLflow access logs for SearchModelVersions requests and cross-reference the caller against the registered model owners.
- Compare the count of model versions returned to a user against the count of models they have explicit READ permission on.
- Monitor GraphQL query logs for invocations of mlflowSearchModelVersions and inspect the response size relative to the user's authorized scope.
Monitoring Recommendations
- Forward MLflow tracking server logs to a centralized SIEM and alert on enumeration patterns against the model registry.
- Track the MLflow server version in software inventory and flag any host running 3.9.0 or earlier with basic auth enabled.
- Baseline normal API usage per service account and alert on deviations involving model registry search endpoints.
How to Mitigate CVE-2026-2734
Immediate Actions Required
- Upgrade MLflow to version 3.10.0 or later, which adds SearchModelVersions to the authorization handler set.
- Inventory all MLflow instances exposed to multi-tenant users and prioritize patching those with basic authentication enabled.
- Rotate or review credentials for accounts that may have used the vulnerable endpoint, and review audit logs for prior enumeration.
Patch Information
The fix is published in MLflow 3.10.0 via commit 6989066af33fdcb03588fd71a1a67f8fc5ef12c9. The patch registers SearchModelVersions in BEFORE_REQUEST_VALIDATORS and AFTER_REQUEST_HANDLERS, and adds the field to GraphQLAuthorizationMiddleware.PROTECTED_FIELDS. See the Huntr bounty report for the original disclosure.
Workarounds
- Restrict network access to the MLflow tracking server so only trusted users and services can reach the REST and GraphQL endpoints.
- Disable or front the SearchModelVersions endpoint with an authenticating reverse proxy that enforces per-user authorization until the upgrade is applied.
- Avoid storing sensitive identifiers, credentials, or proprietary descriptions in model version source, description, or tags fields on vulnerable deployments.
# Upgrade MLflow to the patched release
pip install --upgrade 'mlflow>=3.10.0'
# Verify the installed version
python -c "import mlflow; print(mlflow.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
