2 matches found
MLflow < 3.10.0 - Authentication Bypass on FastAPI Routes
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...
Authentication Bypass on FastAPI Routes (Job API, OTel API) When Basic Auth Enabled
Summary When MLflow is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI, the FastAPI permission middleware only enforces authentication on /gateway/ routes. All other FastAPI routes -- including the Job API /ajax-api/3.0/jobs/ and the OpenTelemetry trace...