A vulnerability in MLflow versions prior to 3.11.0, tracked as CVE-2026-4035, allows the resolution of environment variables in AI Gateway secrets, enabling attackers to exfiltrate sensitive credentials and configuration data. MLflow is a widely used open-source MLOps platform for managing the machine learning lifecycle.
What Is the Vulnerability?
CVE-2026-4035 is an environment variable resolution vulnerability in MLflow’s AI Gateway secrets management. The AI Gateway is the component that routes requests to AI model providers (OpenAI, Anthropic, etc.) and manages API keys and secrets for those connections. The vulnerability allows an attacker who can influence or read AI Gateway secret values to resolve environment variables embedded in those secrets — potentially extracting database credentials, cloud API keys, and other sensitive configuration stored in environment variables on the MLflow server.
- CVSS v3.1 Score: 9.8 (Critical)
- Attack Vector: Network
Which Versions Are Affected?
- MLflow: all versions prior to 3.11.0
What Is the Fix?
Update MLflow to version 3.11.0 or later. After updating, rotate all API keys and secrets that were configured in the AI Gateway, as they may have been exposed if the vulnerability was exploited.
Recommendations
Update MLflow to 3.11.0 immediately. MLflow is commonly deployed in AI/ML infrastructure with access to cloud credentials, data lake connections, and model registries — the blast radius of a credential leak is high. Rotate all secrets after patching.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.
