Bug 2493968 (CVE-2026-13484) - CVE-2026-13484 mlflow: MLflow: Unauthorized access and data manipulation via missing API authorization
Summary: CVE-2026-13484 mlflow: MLflow: Unauthorized access and data manipulation via ...
Keywords:
Status: NEW
Alias: CVE-2026-13484
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-28 09:01 UTC by OSIDB Bzimport
Modified: 2026-07-01 04:11 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-28 09:01:34 UTC
A vulnerability has been found in MLflow up to 4666cffc7912ea606d592fc38d6a75e2935f65e7. The impacted element is an unknown function of the component Experiment-scoped Label Schema CRUD API. Such manipulation leads to missing authorization. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. A reply to the GitHub issue explains, that "[t]he labeling schema PR has not been merged yet. The auth handlers will be added before the release."


Note You need to log in before you can comment on or make changes to this bug.