Executive Summary

This vulnerability exists in mlflow/mlflow versions up to 3.9.0 where the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query do not enforce proper per-model authorization checks when basic authentication is enabled.

As a result, any authenticated user can enumerate all model versions across all registered models regardless of their permission level.

The root cause is that SearchModelVersions is missing from the BEFORE_REQUEST_VALIDATORS and AFTER_REQUEST_HANDLERS for the REST API, and it is also omitted from GraphQLAuthorizationMiddleware.PROTECTED_FIELDS for GraphQL.

This allows exposure of sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details especially in multi-tenant environments.

The issue was fixed in version 3.10.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing any authenticated user to access and enumerate all model versions across all registered models without proper authorization.

This unauthorized access can lead to exposure of sensitive or proprietary information such as model names, version descriptions, source URIs, tags, and other metadata.

In environments where multiple tenants or teams share the same MLflow instance, this could result in confidential data leakage between tenants.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized enumeration of all model versions via the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query when basic authentication is enabled.

To detect this vulnerability on your system, you can attempt to query the SearchModelVersions REST API endpoint or the mlflowSearchModelVersions GraphQL query using an authenticated user account with limited permissions and observe if the response includes model versions beyond the user's permission scope.

Example commands to test this might include:

• Using curl to call the REST API endpoint with basic authentication: curl -u username:password https://your-mlflow-server/api/2.0/mlflow/model-versions/search
• Using a GraphQL client or curl to query the mlflowSearchModelVersions query with authentication and checking if unauthorized model versions are returned.

If the response returns model versions that the authenticated user should not have access to, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in mlflow version 3.10.0 by adding model version search filtering based on user permissions.

Immediate mitigation steps include:

• Upgrade mlflow to version 3.10.0 or later where the authorization checks for SearchModelVersions and mlflowSearchModelVersions are properly enforced.
• If upgrading is not immediately possible, restrict access to the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query to trusted users only.
• Review and tighten basic authentication configurations to limit exposure.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows any authenticated user to enumerate all model versions across all registered models without proper authorization checks. As a result, sensitive information such as model names, version descriptions, source URIs, tags, and other metadata can be exposed. In multi-tenant environments, this exposure could lead to unauthorized disclosure of proprietary or confidential details.

Such unauthorized access and potential data exposure may impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive or confidential information to protect privacy and data security.

Useful 0 Not Useful 0