{"data":{"id":"70c0ca8e-6181-4b8b-8544-718a07ac1c70","title":"CVE-2026-2734: In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` G","summary":"MLflow versions up to 3.9.0 have a security flaw in the SearchModelVersions feature (an API endpoint that retrieves information about different versions of machine learning models) that fails to check user permissions properly. This allows any logged-in user to see all model versions and sensitive details across the entire system, which is dangerous in shared environments where different teams should only access their own models.","solution":"The issue is resolved in version 3.10.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-2734","publishedAt":"2026-05-21T05:16:22.723Z","cveId":"CVE-2026-2734","cweIds":["CWE-284"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00026,"patchAvailable":null,"disclosureDate":"2026-05-21T05:16:22.723Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}