HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-4035Published Modified CNA @huntr_ai

CVE-2026-4035: Environment Variable Resolution Vulnerability in mlflow/mlflow

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.

Metrics

CVSS v3.0
9.1
Severity
CRITICAL
Fixed in
3.11.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An environment variable resolution vulnerability in mlflow/mlflow (versions prior to 3.11.0) allows attackers to inject `$ENV_VAR` references into AI Gateway secret configurations, causing the MLflow server to resolve and forward sensitive server-side environment variables to an attacker-controlled endpoint. The vulnerability is reachable over the network and requires only a low-privileged account in basic-auth deployments, or no account at all in default deployments. Successful exploitation leaks credentials such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, enabling artifact poisoning and cross-boundary code execution in downstream environments. A patched-image rebuild at version 3.11.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-4035 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle mlflow directly. Any image carrying an mlflow/mlflow version below 3.11.0 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and weights it further against each environment's compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at mlflow/mlflow 3.11.0 becomes available on HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The MLflow AI Gateway must be reachable over the network; an attacker sends a crafted secret configuration referencing server-side environment variables via the exposed HTTP API.

  • AuthenticationRequired

    In basic-auth deployments any low-privilege account is sufficient to exploit this vulnerability; in default deployments without basic-auth, no authentication is required at all.

  • Victim interactionNot required

    No victim action is needed; the server resolves environment variables and forwards credentials automatically during normal request processing.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: injecting a $ENV_VAR reference into the api_key field and pointing api_base at an attacker-controlled endpoint is the entire attack chain, with no race conditions or special environmental factors required.

Blast Radius

  • Reads server-side environment variables including cloud credential pairs such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY by receiving them in forwarded authentication headers.
  • Gains access to cloud storage artifacts protected by the exfiltrated credentials, enabling reads of proprietary model weights, training data, and pipeline outputs.
  • Overwrites or poisons stored artifacts in cloud buckets using the stolen credentials, injecting malicious model files or dependencies consumed by downstream build and inference pipelines.
  • Achieves cross-boundary code execution in downstream environments that automatically load or execute artifacts pulled from the compromised storage location.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images within minutes of publication, covering registry-hosted and pipeline-built images alike. Because a fix exists at version 3.11.0, a rebuilt image at that version becomes available as soon as an affected image is detected. For customers who have auto-remediation enabled, HarborGuard performs the rebuild, executes a regression run against the updated image, and opens a pull request against affected workloads; for Critical-severity issues like this one, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation active. Where compliance policy requires manual approval, the rebuilt image and PR are staged and held for reviewer sign-off. Given the credential-exfiltration nature of this bug, customers running MLflow without basic-auth should treat any deployment below 3.11.0 as fully unauthenticated-attacker-accessible and prioritize the upgrade accordingly.

See how HarborGuard automates this

Fix available

3.11.0
Affected packages
  • mlflow / mlflow/mlflow
    < 3.11.0 (from unspecified)
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
References