Bug 2496410 (CVE-2026-8147) - CVE-2026-8147 mlflow: MLflow: Unauthorized access to trace data due to missing authorization validation
Summary: CVE-2026-8147 mlflow: MLflow: Unauthorized access to trace data due to missin...
Keywords:
Status: NEW
Alias: CVE-2026-8147
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-02 09:01 UTC by OSIDB Bzimport
Modified: 2026-07-08 05:52 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-02 09:01:24 UTC
In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.


Note You need to log in before you can comment on or make changes to this bug.