CVE-2025-15381 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: March 27, 2026
mlflow/mlflow - Broken Access Control
Published: March 27, 2026Updated: March 27, 2026Remote Exploitable
Overview
mlflow/mlflow with basic-auth app enabled contains a broken access control vulnerability caused by missing permission validators on tracing and assessment endpoints, letting authenticated users with no permissions read trace data and create unauthorized assessments, exploit requires authentication.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Authenticated users with no permissions can read trace metadata and create unauthorized assessments, impacting confidentiality and integrity.
Mitigation
Update to the latest version where permission validators protect tracing and assessment endpoints.
Related Resources
Details
- CVE ID
- CVE-2025-15381
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- new
CWE
- CWE-200
CVSS Metrics
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N