CVE-2026-4035 High Severity in mlflow Vulnerability Details & Analysis

Summary

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to th

Description

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.6% of all 326,604 vulnerabilities in our database.

#99,150

Above average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: Jun 3, 2026

🔍 Exploitation Status

Poc

Proof-of-concept available

⚙️ Automatable

NO

Requires human interaction

💥 Technical Impact

Partial

Limited system impact

SSVC data provided by CISA

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-10803	ℹ️ low	3.6	0.0	A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflo...	2026-06-04
CVE-2026-3198	🔶 medium	6.5	0.0	MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'l...	2026-06-02
CVE-2026-2651	⛔ critical	9.0	0.1	A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the...	2026-05-25
CVE-2026-2734	🔶 medium	6.5	0.0	In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` G...	2026-05-21
CVE-2026-2611	⛔ critical	9.6	0.0	In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. ...	2026-05-19
CVE-2026-4137	⚠️ high	7.8	0.0	In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` cr...	2026-05-18

CVE-2026-4035

Summary

Description

📊 Relative Risk Intelligence

🎯 CISA SSVC Assessment Updated: Jun 3, 2026

📦 Affected Products 1

🔗 References 2

🔗 Related CVEs 6