CVE-2025-15381
Unauthorized Access in mlflow Basic-Auth App Exposes Trace Data
Publication date: 2026-03-27
Last updated on: 2026-04-28
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lfprojects | mlflow | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should avoid using the `basic-auth` app in mlflow server deployments until a fix is available, as the tracing and assessment endpoints are not properly protected.
Ensure that permission validators are correctly applied to tracing and assessment endpoints to prevent unauthorized users from accessing or creating trace information.
Monitor for updates or patches from the mlflow project that address this issue and apply them promptly.
Can you explain this vulnerability to me?
This vulnerability exists in the latest version of mlflow/mlflow when the basic-auth app is enabled. Specifically, tracing and assessment endpoints are not protected by permission validators. As a result, any authenticated user, even those with no permissions on the experiment, can read trace information and create assessments for traces they should not have access to.
This means unauthorized users can access sensitive trace metadata and manipulate assessments, which compromises both confidentiality and integrity.
How can this vulnerability impact me? :
The vulnerability can impact you by exposing sensitive trace metadata to unauthorized users, which compromises confidentiality.
Additionally, it allows unauthorized users to create assessments for traces, impacting the integrity of the data.
This could lead to unauthorized information disclosure and potential manipulation of trace assessments within your mlflow deployment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Such exposure of sensitive information and unauthorized actions could lead to non-compliance with standards and regulations that require strict access controls and protection of sensitive data, such as GDPR and HIPAA.
Specifically, since any authenticated user can access trace information and create assessments without proper permissions, this could result in unauthorized disclosure of personal or sensitive data, violating confidentiality requirements mandated by these regulations.