CVE-2026-4035
Analyzed Analyzed - Analysis Complete
Environment Variable Leak in MLflow AI Gateway

Publication date: 2026-06-03

Last updated on: 2026-06-04

Assigner: huntr.dev

Description
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-4035
EUVD
EUVD-2026-34068
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lfprojects mlflow to 3.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary mitigation step is to upgrade MLflow to version 3.11.0 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, ensure that the environment variable MLFLOW_GATEWAY_RESOLVE_API_KEY_FROM_ENV is not set to "true", as this disables the automatic resolution of API keys from environment variables and prevents unauthorized access.

Additionally, restrict access to the MLflow Gateway by enabling basic authentication to prevent unauthenticated users from exploiting the vulnerability.

Monitor and audit network traffic and logs for any signs of suspicious activity related to API key exfiltration.

Compliance Impact

This vulnerability allows for the exfiltration of sensitive server-side environment credentials, including cloud artifact credentials, which could lead to unauthorized access and potential data breaches.

Such exposure of sensitive credentials can compromise the confidentiality and integrity of data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate protection of sensitive information and secure access controls.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to unauthorized disclosure of sensitive data and failure to maintain adequate security measures.

Executive Summary

This vulnerability exists in mlflow/mlflow versions prior to 3.11.0 and involves the resolution of environment variables in AI Gateway secrets. Specifically, the `api_key` field in gateway secrets can reference environment variables (using the $ENV_VAR syntax), which are resolved against the MLflow server's environment during runtime.

Because these resolved secrets are sent in authentication headers to upstream API endpoints, an attacker can exploit this to exfiltrate sensitive server-side environment credentials by controlling the endpoint receiving these headers.

The vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without basic-auth, potentially exposing credentials like AWS keys.

The issue was fixed in version 3.11.0 by making the resolution of API keys from environment variables an opt-in feature controlled by a new environment variable, preventing unauthorized access.

Impact Analysis

This vulnerability can lead to the leakage of sensitive server-side environment credentials such as cloud artifact credentials (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY).

An attacker who exploits this flaw could exfiltrate these credentials to an attacker-controlled endpoint.

The impact includes potential artifact poisoning and cross-boundary code execution in downstream environments, which could compromise the integrity and security of your systems and data.

Detection Guidance

Detection of this vulnerability involves checking if the MLflow Gateway is resolving API keys from environment variables without explicit permission, which could expose sensitive credentials.

One way to detect potential exploitation is to monitor network traffic for unexpected outbound requests from the MLflow server to attacker-controlled endpoints, especially those containing sensitive environment variable data in authentication headers.

Additionally, you can inspect the MLflow Gateway configuration and environment to see if the environment variable MLFLOW_GATEWAY_RESOLVE_API_KEY_FROM_ENV is set to "true", which enables this feature and could indicate exposure if running a vulnerable version.

Suggested commands include:

  • Use network monitoring tools like tcpdump or Wireshark to capture and analyze outgoing requests from the MLflow server.
  • Run: tcpdump -i <interface> host <mlflow_server_ip> and filter for suspicious outbound connections.
  • Check environment variables and configuration with commands like: echo $MLFLOW_GATEWAY_RESOLVE_API_KEY_FROM_ENV
  • Inspect MLflow logs for unusual authentication header contents or errors related to API key resolution.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4035. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart