CVE-2026-8147

Source
https://cve.org/CVERecord?id=CVE-2026-8147
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8147.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-8147
Aliases
Published
2026-07-02T07:32:58.308Z
Modified
2026-07-08T08:12:42.027364873Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Authorization Bypass in mlflow/mlflow
Details

In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the _before_request handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8147.json",
    "cna_assigner": "@huntr_ai",
    "cwe_ids": [
        "CWE-284"
    ]
}
References

Affected packages

Git / github.com/mlflow/mlflow

Affected ranges

Type
GIT
Repo
https://github.com/mlflow/mlflow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.14.0"
        }
    ]
}

Affected versions

1.*
1.0.0
Other
model-catalog/latest
nightly
ts/v0.*
ts/v0.2.0
ts/v0.2.0-rc.1
ts/v0.2.0-rc.2
ts/v0.3.0-rc.0
v0.*
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.6.0
v0.7
v0.8.0
v0.8.1
v1.*
v1.7.0
v2.*
v2.2.0
v3.*
v3.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8147.json"