5 matches found
Authorization bypass on all trace endpoints when auth is enabled
Description When MLflow runs with auth enabled, the trace API endpoints don't have authorization validators registered. The beforerequest handler checks each request against BEFOREREQUESTHANDLERS — experiments, runs, models all have entries there, but traces have zero entries. When no validator i...
EUVD-2025-6810
Malicious code in bioql PyPI...
PYSEC-2025-52
gatewayproxyhandler in MLflow before 3.1.0 lacks gatewaypath validation...
CVE-2023-6014
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment...
CVE-2023-43472
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API...