8.1

CVE-2025-15381

Exploit

EPSS 0.01%
Veröffentlicht 27.03.2026 16:17:30
Zuletzt bearbeitet 28.04.2026 14:32:08
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

Unauthorized Access to Tracing and Assessment Endpoints in mlflow/mlflow

In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Deployments using `mlflow server --app-name=basic-auth` are affected.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lfprojects ≫ Mlflow Version-

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.014

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
security@huntr.dev	8.1	2.8	5.2	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://huntr.com/bounties/149fb2f9-ef4b-4136-a25c-20563451904c

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-15381

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-15381

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-15381

EUVD