MLflow SearchModelVersions Authorization Bypass Vulnerability

A vulnerability exists in MLflow versions prior to 3.9.0 within the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query. These features lack adequate authorization checks when basic authentication is enabled, allowing any authenticated user to access and enumerate all model versions across all registered models, irrespective of their permission levels. This flaw can lead to the unintentional disclosure of sensitive information, such as model names, version descriptions, source URIs, tags, and other metadata, which could be proprietary or confidential, especially in multi-tenant environments.

Impact

Exploitation of this vulnerability allows any authenticated user to bypass access controls and access all model versions, including sensitive metadata, across all registered models.

Reproduction

To reproduce this vulnerability, first, create a user with basic authentication. Then, as an admin, create a registered model and a model version with sensitive information. After denying the user access to the model, the user can still search for model versions through the vulnerable API or GraphQL endpoint, successfully retrieving all model versions, including those marked as confidential.

Remediation

Users can update to MLflow version 3.10.0 or later, where this vulnerability has been fixed.