Home / Vulnerability Intelligence / CVE-2025-15381

CVE-2025-15381 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 30, 2026

mlflow/mlflow - Broken Access Control

Published: March 27, 2026Updated: March 30, 2026Remote Exploitable

Overview

mlflow/mlflow with basic-auth app enabled contains a broken access control vulnerability caused by missing permission validators on tracing and assessment endpoints, letting authenticated users with no permissions read trace data and create unauthorized assessments, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 1.0%(Probability of exploitation in next 30 days)

Impact

Authenticated users with no permissions can read trace metadata and create unauthorized assessments, impacting confidentiality and integrity.

Mitigation

Update to the latest version where permission validators protect tracing and assessment endpoints.

References

https://huntr.com/bounties/149fb2f9-ef4b-4136-a25c-20563451904c

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 27, 2026

🟠 CVE-2025-15381 - High (8.1) In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment,... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-15381/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-15381
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: unconfirmed
EPSS: 1.0%
Social Posts: 1

CWE

CWE-200

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

1.0%Probability of exploitation in the next 30 days