A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-4035 exposes a critical credential exfiltration vulnerability in MLflow versions before 3.11.0, where the AI Gateway's secret management allows environment variable resolution within the `api_key` field. When an attacker crafts a malicious gateway configuration containing `$ENV_VAR` references, the MLflow server resolves these variables against its own environment during runtime and inadvertently transmits the resolved sensitive credentials to attacker-controlled endpoints in provider authentication headers. This affects any organization running vulnerable MLflow versions with AI Gateway functionality enabled, particularly those using MLflow in multi-tenant or shared infrastructure environments where gateway configurations may be user-controllable. The vulnerability enables direct credential theft without requiring code execution or network interception, making it a high-impact supply chain risk for AI/ML operations teams.
While this specific CVE does not directly map to traditional MITRE ATT&CK techniques in the Casky skill database, practitioners should monitor for attack patterns consistent with Credential Access and Exfiltration techniques. Detection would center on identifying anomalous outbound connections from MLflow server processes to unusual external endpoints, particularly those initiated during gateway secret validation or authentication header construction. Security teams should investigate MLflow configuration changes that introduce environment variable references in gateway settings, monitor environment variable access patterns on MLflow servers, and track unexpected credential usage against external AI provider services. Extended behavioral analysis through Casky's Claude-powered reasoning would correlate server-side environment variable reads with subsequent network egress events and authentication attempts, revealing the attack chain from configuration injection through credential exfiltration.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-4035. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation