CVE-2026-13484: Missing Authorization in MLflow
CVE-2026-13484 is a low-severity vulnerability in MLflow involving missing authorization in the Experiment-scoped Label Schema CRUD API. The vulnerability affects versions up to commit 4666cffc7912ea606d592fc38d6a75e2935f65e7. Exploitation requires high complexity and is considered difficult. The issue is publicly disclosed, but the relevant labeling schema feature and its authorization handlers have not yet been merged or released.
AI Analysis
Technical Summary
This vulnerability in MLflow concerns missing authorization controls in an experimental Label Schema CRUD API component. The affected code is not yet part of an official release, as the labeling schema pull request has not been merged and authorization handlers are planned to be added before release. The vulnerability allows remote attackers to manipulate the API without proper authorization, but exploitation complexity is high and no known exploits are in the wild. No official patch or remediation level has been provided yet.
Potential Impact
The vulnerability could allow unauthorized remote manipulation of the Label Schema API in MLflow, potentially leading to unauthorized access or modification of experiment labels. However, the affected functionality is not yet released, and the exploit complexity is high, reducing immediate risk. The CVSS score is low (2.3), indicating limited impact under current conditions.
Mitigation Recommendations
No official fix or patch is currently available. The labeling schema feature and its authorization handlers are planned but not yet released. Users should monitor MLflow releases for the merging of this feature and the addition of authorization controls. Until then, the affected API is not part of released versions, so no immediate action is required.
CVE-2026-13484: Missing Authorization in MLflow
Description
CVE-2026-13484 is a low-severity vulnerability in MLflow involving missing authorization in the Experiment-scoped Label Schema CRUD API. The vulnerability affects versions up to commit 4666cffc7912ea606d592fc38d6a75e2935f65e7. Exploitation requires high complexity and is considered difficult. The issue is publicly disclosed, but the relevant labeling schema feature and its authorization handlers have not yet been merged or released.
CVSS v4.0
Score 2.3low
Affected software
cpe:2.3:a:mlflow:mlflow:*:*:*:*:*:*:*:*AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in MLflow concerns missing authorization controls in an experimental Label Schema CRUD API component. The affected code is not yet part of an official release, as the labeling schema pull request has not been merged and authorization handlers are planned to be added before release. The vulnerability allows remote attackers to manipulate the API without proper authorization, but exploitation complexity is high and no known exploits are in the wild. No official patch or remediation level has been provided yet.
Potential Impact
The vulnerability could allow unauthorized remote manipulation of the Label Schema API in MLflow, potentially leading to unauthorized access or modification of experiment labels. However, the affected functionality is not yet released, and the exploit complexity is high, reducing immediate risk. The CVSS score is low (2.3), indicating limited impact under current conditions.
Mitigation Recommendations
No official fix or patch is currently available. The labeling schema feature and its authorization handlers are planned but not yet released. Users should monitor MLflow releases for the merging of this feature and the addition of authorization controls. Until then, the affected API is not part of released versions, so no immediate action is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-06-27T15:45:07.800Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a40e43027e9c79719a9e947
Added to database: 06/28/2026, 09:06:56 UTC
Last enriched: 06/28/2026, 09:21:17 UTC
Last updated: 06/28/2026, 09:21:17 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.