MLflow Authorization Bypass Vulnerability in Gateway API List Endpoints

An authorization bypass vulnerability has been identified in MLflow version 3.9.0 when using basic authentication. The issue arises because the application fails to enforce authorization checks for several Gateway API 'list' endpoints. Specifically, the 'BEFORE_REQUEST_HANDLERS' dictionary does not include necessary entries for 'ListGatewaySecretInfos', 'ListGatewayEndpoints', and 'ListGatewayModelDefinitions'. As a result, any authenticated user can enumerate all gateway secrets, endpoints, and model definitions, exposing sensitive information such as API keys, endpoint configurations, and proprietary model definitions to unauthorized users.

Impact

This vulnerability allows any authenticated user to list all AI Gateway secrets, endpoint configurations, and model definitions within the MLflow deployment. This is particularly concerning in production environments where MLflow acts as a centralized AI Gateway, as it could expose sensitive API keys for LLM providers like OpenAI and Anthropic, along with internal endpoint routing and proprietary model information.

Reproduction

To reproduce this vulnerability, start MLflow 3.9.0 with basic authentication. After creating a non-admin user, use that account to access the 'list' endpoints for gateway secrets, endpoints, and model definitions. Each request will return a 200 OK status, indicating successful enumeration, despite the lack of proper authorization. In contrast, accessing individual resource endpoints correctly enforces authorization by returning a 403 Forbidden status.