Authentication Bypass on FastAPI Routes (Job API, OTel API) When Basic Auth Enabled

Summary When MLflow is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI, the FastAPI permission middleware only enforces authentication on /gateway/ routes. All other FastAPI routes -- including the Job API /ajax-api/3.0/jobs/ and the OpenTelemetry trace...

CVE-2025-66454

Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can...

GHSA-G2JX-37X6-6438 arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Summary The arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This...