SCA: security update for mlflow (GHSA-75cm-x2w3-8mgf)

high Tenable Self-Hosted Container Security Plugin ID 442308

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain
FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served
via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes,
leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion
API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job
results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an
architectural mismatch between Flask and FastAPI authentication mechanisms, where the
`_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete
authentication bypass. This vulnerability is fixed in version 3.10.0. (CVE-2026-2652)

Solution

Update the mlflow library and its related packages to version 3.11.0 or later.

See Also

https://github.com/advisories/GHSA-75cm-x2w3-8mgf

Plugin Details

Severity: High

ID: 442308

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 5/22/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.76

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:C/A:P

CVSS Score Source: CVE-2026-2652

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/15/2026

Vulnerability Publication Date: 5/15/2026

Reference Information

CVE: CVE-2026-2652

cwe: CWE-305