CVE-2026-3198 Overview
CVE-2026-3198 is a missing authorization vulnerability in MLflow 3.9.0 when deployed with basic authentication (--app-name basic-auth). The BEFORE_REQUEST_HANDLERS dictionary in mlflow/server/auth/__init__.py omits entries for ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions. Any authenticated user can enumerate gateway secrets, endpoints, and model definitions regardless of assigned permissions. The flaw maps to [CWE-284: Improper Access Control] and exposes API keys, endpoint configurations, and proprietary model definitions to unauthorized accounts.
Critical Impact
Authenticated low-privilege users can list all gateway secrets, endpoints, and model definitions, disclosing API keys and proprietary AI/ML model metadata.
Affected Products
- MLflow 3.9.0 deployed with the basic-auth app (--app-name basic-auth)
- LF Projects MLflow tracking server Gateway API
- Any MLflow Gateway deployment relying on basic-auth for access control
Discovery Timeline
- 2026-06-02 - CVE-2026-3198 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-3198
Vulnerability Analysis
MLflow's basic-auth plugin enforces authorization by registering per-endpoint handlers inside the BEFORE_REQUEST_HANDLERS dictionary. Each handler validates the caller's permission before the request reaches the underlying view function. When an endpoint is not present in this dictionary, the basic-auth layer falls through and lets the request proceed without an authorization check.
Three Gateway API list operations are missing from this dictionary: ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions. As a result, any authenticated user, including accounts with the lowest permission tier, can call these endpoints and receive the full server-wide listing. The response contains secret metadata, gateway endpoint URLs and configurations, and registered model definitions used to route inference traffic.
The disclosed data accelerates downstream attacks. Leaked endpoint configurations expose backend LLM provider routes, and secret listings reveal which API credentials exist on the server, narrowing targets for credential abuse against connected AI providers.
Root Cause
The root cause is incomplete coverage of the authorization registry. Authorization is implemented as an allow-list of endpoint names mapped to permission checks, but the developers did not add the three list endpoints when the Gateway API was extended. Missing entries default to no enforcement instead of deny-by-default.
Attack Vector
An attacker with any valid MLflow basic-auth credential sends HTTP GET requests to the affected Gateway list endpoints over the network. No elevated privileges or user interaction are required. The server returns sensitive gateway data that should be restricted to administrators.
No verified public exploit code is available. See the Huntr Bounty Listing for technical details.
Detection Methods for CVE-2026-3198
Indicators of Compromise
- Access log entries showing authenticated requests to Gateway list endpoints (ListGatewaySecretInfos, ListGatewayEndpoints, ListGatewayModelDefinitions) from non-administrative accounts.
- Unexpected enumeration patterns where a single authenticated user sequentially calls multiple Gateway list endpoints in a short window.
- Outbound traffic to LLM providers using API keys whose metadata was previously listed only on the MLflow Gateway.
Detection Strategies
- Audit MLflow server access logs for HTTP requests targeting Gateway list routes and correlate the caller identity against the basic-auth permission table.
- Compare the set of accounts calling list endpoints against the set of administrative accounts; flag any deviation.
- Hash and inventory gateway secret identifiers; alert when secret metadata is returned to accounts without MANAGE permission.
Monitoring Recommendations
- Forward MLflow application logs and reverse-proxy access logs to a centralized log platform for query and retention.
- Set alerting thresholds on bursts of GET requests to /api/2.0/mlflow/gateway/* list endpoints from a single principal.
- Monitor for new or unexpected API key usage at downstream LLM providers that may indicate post-disclosure abuse.
How to Mitigate CVE-2026-3198
Immediate Actions Required
- Restrict network exposure of the MLflow 3.9.0 Gateway to trusted networks and authenticated administrators only.
- Rotate all gateway secrets and provider API keys configured in the affected MLflow Gateway, since prior exposure cannot be ruled out.
- Reduce the number of basic-auth users with access to the MLflow server and disable inactive accounts.
- Review audit logs for prior calls to ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions and investigate any non-administrative callers.
Patch Information
At the time of publication, no fixed MLflow release is listed in the NVD entry for CVE-2026-3198. Track the Huntr Bounty Listing and the MLflow project release notes for an updated version that adds authorization handlers for the affected Gateway list endpoints.
Workarounds
- Place the MLflow server behind a reverse proxy that blocks the three affected Gateway list endpoints for non-administrative users until a patched version is deployed.
- Disable the Gateway API on the MLflow deployment if it is not required for production workflows.
- Apply a local override of BEFORE_REQUEST_HANDLERS in mlflow/server/auth/__init__.py to register permission checks for ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions.
# Example reverse-proxy block for the affected list endpoints (nginx)
location ~* /api/2\.0/mlflow/gateway/(secrets|endpoints|model-definitions)$ {
if ($request_method = GET) {
return 403;
}
proxy_pass http://mlflow_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
