CVE-2026-4035
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk35th percentile - higher than 35% of all known CVEs
Summary
A vulnerability in mlflow/mlflow prior to version 3.11.0 allows environment variable resolution in AI Gateway secrets, enabling exfiltration of sensitive server-side credentials to an attacker-controlled endpoint. The issue arises because the `api_key` field accepts `$ENV_VAR` references that are resolved against the MLflow server's environment at runtime.
Risk Assessment
The risk includes potential leakage of sensitive credentials such as cloud artifact keys (e.g., `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments.
Recommendation
Immediately upgrade mlflow to version 3.11.0 or later. If an upgrade is not possible, restrict access to AI Gateway, enable basic authentication, and control user permissions.
Original NVD description (English source)
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.

