CyberRota
← Ana sayfaya dön

CVE-2026-8147

HIGH · CVSS 8.1 EPSS %0.34 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-02T09:16:19.100 · Çekilme zamanı: 2026-07-02T18:27:52.083891+00:00

CyberRota Yorumu

Saldırganın giriş yapmış olması gerekebilir.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

GitHub PoC Linkleri

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-8147
Severity
HIGH
CVSS
8.1
EPSS
%0.34

Orijinal NVD Açıklaması

In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.