CVE-2026-4035
Environment Variable Leak in MLflow AI Gateway
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mlflow | mlflow | to 3.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade MLflow to version 3.11.0 or later, where this vulnerability is fixed.
If upgrading immediately is not possible, ensure that the environment variable MLFLOW_GATEWAY_RESOLVE_API_KEY_FROM_ENV is not set to "true", as this disables the automatic resolution of API keys from environment variables and prevents unauthorized access.
Additionally, restrict access to the MLflow Gateway by enabling basic authentication to prevent unauthenticated users from exploiting the vulnerability.
Monitor and audit network traffic and logs for any signs of suspicious activity related to API key exfiltration.
Can you explain this vulnerability to me?
This vulnerability exists in mlflow/mlflow versions prior to 3.11.0 and involves the resolution of environment variables in AI Gateway secrets. Specifically, the `api_key` field in gateway secrets can reference environment variables (using the $ENV_VAR syntax), which are resolved against the MLflow server's environment during runtime.
Because these resolved secrets are sent in authentication headers to upstream API endpoints, an attacker can exploit this to exfiltrate sensitive server-side environment credentials by controlling the endpoint receiving these headers.
The vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without basic-auth, potentially exposing credentials like AWS keys.
The issue was fixed in version 3.11.0 by making the resolution of API keys from environment variables an opt-in feature controlled by a new environment variable, preventing unauthorized access.
How can this vulnerability impact me? :
This vulnerability can lead to the leakage of sensitive server-side environment credentials such as cloud artifact credentials (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY).
An attacker who exploits this flaw could exfiltrate these credentials to an attacker-controlled endpoint.
The impact includes potential artifact poisoning and cross-boundary code execution in downstream environments, which could compromise the integrity and security of your systems and data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the MLflow Gateway is resolving API keys from environment variables without explicit permission, which could expose sensitive credentials.
One way to detect potential exploitation is to monitor network traffic for unexpected outbound requests from the MLflow server to attacker-controlled endpoints, especially those containing sensitive environment variable data in authentication headers.
Additionally, you can inspect the MLflow Gateway configuration and environment to see if the environment variable MLFLOW_GATEWAY_RESOLVE_API_KEY_FROM_ENV is set to "true", which enables this feature and could indicate exposure if running a vulnerable version.
Suggested commands include:
- Use network monitoring tools like tcpdump or Wireshark to capture and analyze outgoing requests from the MLflow server.
- Run: tcpdump -i <interface> host <mlflow_server_ip> and filter for suspicious outbound connections.
- Check environment variables and configuration with commands like: echo $MLFLOW_GATEWAY_RESOLVE_API_KEY_FROM_ENV
- Inspect MLflow logs for unusual authentication header contents or errors related to API key resolution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows for the exfiltration of sensitive server-side environment credentials, including cloud artifact credentials, which could lead to unauthorized access and potential data breaches.
Such exposure of sensitive credentials can compromise the confidentiality and integrity of data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate protection of sensitive information and secure access controls.
Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to unauthorized disclosure of sensitive data and failure to maintain adequate security measures.