This vulnerability arises because the `api_key` field in mlflow/mlflow AI Gateway secrets accepts environment variable references (e.g., $ENV_VAR) that are resolved against the server's environment at runtime. The resolved secrets are then included in provider authentication headers sent to the configured upstream API base. An attacker with low privileges in basic-auth deployments or unauthenticated access in default deployments can exploit this to exfiltrate sensitive environment credentials such as AWS keys. This can lead to further attacks including artifact poisoning and code execution in downstream systems. The vulnerability is tracked as CVE-2026-4035 with a CVSS 3.0 score of 9.1 (critical). It is fixed in mlflow version 3.11.0. The product is a cloud service, so the vendor typically manages remediation server-side.

Exploitation of this vulnerability can lead to the leakage of sensitive environment credentials from the MLflow server, including cloud artifact credentials like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. This credential exposure can enable attackers to poison artifacts and execute code across trust boundaries in downstream environments. The vulnerability affects confidentiality, integrity, and availability, with a CVSS score of 9.1 indicating critical severity. No known exploits in the wild have been reported to date.

A fix for this vulnerability is available in mlflow version 3.11.0. Since mlflow is a cloud-hosted service, the vendor typically manages remediation server-side. Users should verify with the vendor advisory that their deployment is updated to version 3.11.0 or later. Until then, restricting access to authenticated users and avoiding default deployments without basic authentication can reduce exposure. Patch status is confirmed fixed in version 3.11.0.