CVE Catalog

CVE-2026-13484

MediumCVSS 5.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

In MLflow up to version 4666cffc7912ea606d592fc38d6a75e2935f65e7, a missing authorization vulnerability was found in the Experiment-scoped Label Schema CRUD API. This flaw allows remote manipulation of data without proper authentication, though exploitation is difficult due to high attack complexity.

Risk Assessment

The organization is at risk of unauthorized access to experiment label schemas, potentially leading to data integrity breaches and information leakage. However, the attack requires advanced skills and is difficult to execute.

Recommendation

Update MLflow to a patched version as soon as it is officially released. Until then, restrict access to the Label Schema CRUD API using firewall rules or network-level authorization mechanisms.

Original NVD description (English source)

A vulnerability has been found in MLflow up to 4666cffc7912ea606d592fc38d6a75e2935f65e7. The impacted element is an unknown function of the component Experiment-scoped Label Schema CRUD API. Such manipulation leads to missing authorization. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. A reply to the GitHub issue explains, that "[t]he labeling schema PR has not been merged yet. The auth handlers will be added before the release."

Vulnerability data from NVD (NIST) · CISA KEV · EPSS