CVE-2026-13484

EUVD-2026-39984

28.06.2026, 09:16

A vulnerability has been found in MLflow up to 4666cffc7912ea606d592fc38d6a75e2935f65e7. The impacted element is an unknown function of the component Experiment-scoped Label Schema CRUD API. Such manipulation leads to missing authorization. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. A reply to the GitHub issue explains, that "[t]he labeling schema PR has not been merged yet. The auth handlers will be added before the release."

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/mlflow/mlflow/

https://github.com/mlflow/mlflow/issues/23608

https://github.com/mlflow/mlflow/issues/23608#issuecomment-4560963877

https://vuldb.com/cve/CVE-2026-13484

https://vuldb.com/submit/837658

https://vuldb.com/vuln/374481

https://vuldb.com/vuln/374481/cti