{"data":{"id":"3374adbd-42f4-45f3-b65a-1d0046ed8904","title":"CVE-2026-3198: MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'l","summary":"MLflow 3.9.0 with basic authentication has a missing authorization check bug where three Gateway API endpoints (ListGatewaySecretInfos, ListGatewayEndpoints, ListGatewayModelDefinitions) don't validate user permissions properly, allowing any logged-in user to see sensitive information like API keys and model configurations they shouldn't access.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-3198","publishedAt":"2026-06-02T04:17:03.397Z","cveId":"CVE-2026-3198","cweIds":["CWE-284"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-06-02T04:17:03.397Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}