VIR Vulnerability Intelligence Relay

CVE-2026-2652

high
Published 2026-05-15 · Modified 2026-05-21
CVSS v3
8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
CVSS v2
VIR risk
8.6

Description

MLflow: unauthenticated access to certain FastAPI routes

Predictions

Exploit likelihood
91%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@huntr.dev — https://huntr.com/bounties/5aeff5f0-49c7-4180-b5cb-c9a046f16756

vendor Authored 2026-05-27

Vendor advisory: security@huntr.dev — https://github.com/mlflow/mlflow/commit/bb62e773263c14e9ba4d1a82fe72d0de2442c6aa

Package impact
EcosystemPackageVulnerableFixed
python PyPImlflow<3.11.03.11.0
PIPmlflow< 3.11.03.11.0

Application impact
VendorProductVersionsFixed
lfprojectsmlflow{"endExcluding":"3.10.0"}3.10.0

References

CWEs

CWE-305

Verify integrity in audit chain (admin only). AS-IS.