MLflow Authentication Bypass Vulnerability in FastAPI Routes

A vulnerability exists in MLflow versions 3.9.0 and earlier, allowing unauthenticated access to certain FastAPI routes. This issue arises when the server is launched with authentication enabled and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on '/gateway/' routes, leaving other routes, such as the Job API and the OpenTelemetry trace ingestion API, unprotected. As a result, unauthenticated remote attackers can submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. This vulnerability stems from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the FastAPI validator lookup function fails to address non-gateway paths, leading to a complete authentication bypass.

Impact

Exploitation of this vulnerability allows for unauthenticated injection of trace data into experiments, unauthorized access to job results and parameters, and the ability to cancel running jobs, disrupting workflows. Additionally, it violates the authentication model since the server administrator enabled authentication expecting all API endpoints to be protected.

Reproduction

To reproduce this vulnerability, start the MLflow server with authentication enabled and the FastAPI application. After verifying that Flask routes require authentication, access the unprotected FastAPI routes without any authentication. This can be done using curl commands to interact with the Job API and the OpenTelemetry trace ingestion API, demonstrating the authentication bypass.

Remediation

Users can update to MLflow version 3.10.0 or later, where this vulnerability has been fixed.