CVE Catalog

CVE-2026-4035

HighCVSS 7.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.44%

35th percentile - higher than 35% of all known CVEs

Summary

A vulnerability in mlflow/mlflow prior to version 3.11.0 allows environment variable resolution in AI Gateway secrets, enabling exfiltration of sensitive server-side credentials to an attacker-controlled endpoint. The issue arises because the `api_key` field accepts `$ENV_VAR` references that are resolved against the MLflow server's environment at runtime.

Risk Assessment

The risk includes potential leakage of sensitive credentials such as cloud artifact keys (e.g., `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments.

Recommendation

Immediately upgrade mlflow to version 3.11.0 or later. If an upgrade is not possible, restrict access to AI Gateway, enable basic authentication, and control user permissions.

Original NVD description (English source)

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS