Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-06-03T07:18:08 python-mlflow: MLflow: Sensitive credential exfiltration via environment variable resolution in AI Gateway secrets 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CWE-201

A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.

A flaw was found in MLflow. This vulnerability allows an attacker to exfiltrate sensitive server-side environment credentials. It occurs because the AI Gateway secrets can resolve environment variables, which are then sent to an attacker-controlled endpoint. This could lead to unauthorized access to cloud resources and potentially enable cross-boundary code execution.

This is a flaw in MLflow Server’s AI Gateway: if a gateway secret’s api_key uses a $ENV_VAR form, the server resolves it from pod environment variables and can send those values to a configured upstream api_base. The primary impact is credential disclosure (CWE-201), not direct remote code execution on the platform. For OpenShift AI, most affected Konflux images embed the mlflow package (notebooks, pipelines, training runtimes) but do not run MLflow Server + AI Gateway in their default role. The clearest product exposure is odh-mlflow-rhel9, where the server component is actually shipped and operated. Exploitation requires Gateway configuration reachability and, in typical deployments, authenticated access (PR:L); unauthenticated abuse applies only where MLflow is deployed without basic-auth. Downstream artifact abuse depends on secondary use of leaked credentials, not a standalone RCE primitive in OpenShift AI itself. Hence, the impact is set to Important. To mitigate this issue, restrict network access to the MLflow server to trusted clients only. Additionally, ensure that authentication mechanisms, such as basic-auth, are properly configured and enabled for MLflow deployments to prevent unauthenticated or low-privileged access to the AI Gateway. Consult MLflow documentation for specific configuration steps related to network access control and authentication. A restart or reload of the MLflow service may be required for changes to take effect. Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-mlflow-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-th06-cpu-torch210-py312-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-th06-cuda130-torch210-py312-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-th06-rocm64-torch291-py312-rhel9 Red Hat OpenShift AI (RHOAI) Not affected rhoai/odh-training-cuda128-torch29-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-4035 https://nvd.nist.gov/vuln/detail/CVE-2026-4035 https://github.com/mlflow/mlflow/commit/4a3f2f720cb4f058c9e0c5b883e0acc9ab64a7f3 https://huntr.com/bounties/f8e591a0-0f19-4910-b82e-16c9956f2233