Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the findfastapivalidator function. An attacker can gain unauthorized access to sensitive API endpoints by sending requests to non-/gateway/ paths when the server is started with authenticati...

Authentication Bypass by Primary Weakness

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the...

MLflow: unauthenticated access to certain FastAPI routes

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2652

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2652 Authentication Bypass in mlflow/mlflow

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2652 Authentication Bypass in mlflow/mlflow

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2652

Summary (CVE-2026-2652) : In mlflow/mlflow

📄 FastAPI‑Based Delivery Server Proof of Concept

This proof of concept demonstrates how legacy ActiveX objects in Internet Explorer can be invoked automatically when a crafted HTML payload is delivered by a minimal HTTP server. The proof of concept shows automatic execution attempts using WScript.Shell and Shell.Application without additional...

EUVD-2020-0232

Malware in sbrugna...

EUVD-2020-0233

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2020-7695

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add...

Linux Distros Unpatched Vulnerability : CVE-2020-7694

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP...

MAL-2025-191842 Malicious code in python-uvicorn (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5396386b3e45bc2cc83befa80cc1843f6d8374728a22274ffbbc124319ddc16d Malicious copy of uvicorn package with added healthcheck endpoint that exfiltrates application settings/env vars --- Category: MALICIOUS - The campaign has...

Malicious code in python-uvicorn (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5396386b3e45bc2cc83befa80cc1843f6d8374728a22274ffbbc124319ddc16d Malicious copy of uvicorn package with added healthcheck endpoint that exfiltrates application settings/env vars --- Category: MALICIOUS - The campaign has...

Malicious code in uvicorn (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d4f7ba398a2a6f412706dc52b14ad4928a3863790d54c8553cf728b68d373b2b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4901 Malicious code in uvicorn (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d4f7ba398a2a6f412706dc52b14ad4928a3863790d54c8553cf728b68d373b2b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

DB-GPT 跨站请求伪造漏洞

DB-GPT is an AWEL and proxy-based AI native data application development framework open-sourced by eosphoros. A cross-site request forgery vulnerability exists in DB-GPT version 0.6.0, which stems from an overly loose configuration of CORSMiddleware used by the uvicorn app, which could lead to a...

aiida-graphql (>=0.0.1 <=0.0.2), annhub-python (>=0.1.5 <=0.1.6) +31 more potentially affected by CVE-2020-7695 via uvicorn (>=0.10.0 <=0.11.5)

uvicorn PYPI version =0.10.0, =0.0.1, =0.1.5, =1.0.0, =22.70.0, =0.31.0, =0.0.14, =0.8.0, =2.0.0, =1.0.0a1, =0.0.2, =0.0.1a0, =0.0.1a1 and more Source cves: CVE-2020-7695 Source advisory: OSV:GHSA-F97H-2PFX-F59F...

HTTP response splitting in uvicorn

Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP...

GHSA-F97H-2PFX-F59F HTTP response splitting in uvicorn

Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP...