In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-8147 is an authorization control vulnerability in MLflow versions before 3.14.0 that allows authenticated users to bypass experiment-level access restrictions on trace operations. When authentication is enabled, the trace API endpoints fail to implement proper authorization validators, enabling any authenticated user to read, delete, and modify traces across experiments they should not have permission to access. This is particularly critical for organizations using MLflow in multi-tenant environments or shared research platforms where experiment isolation is essential for data governance, intellectual property protection, and compliance. Any deployment running MLflow with authentication but relying on experiment-level access controls is affected, making this a high-impact vulnerability (CVSS 8.1) affecting the confidentiality and integrity of machine learning artifacts and metadata.
While this CVE lacks specific MITRE ATT&CK technique mappings, Casky's extended reasoning capabilities would flag the underlying attack patterns as consistent with T1530 (Data from Cloud Storage) and T1526 (Cloud Service Discovery) behaviors. A practitioner using Casky would identify suspicious patterns in access logs: authenticated users querying or modifying traces outside their permission scope, repeated API calls to `/api/2.0/traces/*` endpoints with successful responses despite authorization policies, or bulk operations on experiments without corresponding permission grants. The `_before_request` handler gap—missing authorization validators specifically for trace endpoints—represents a control bypass detectable through behavioral analysis of API request chains and permission-to-action mismatches. Casky would correlate these signals to recommend immediate patching to 3.14.0+, audit trails review for unauthorized trace access, and validation of experiment-level RBAC implementation across all ML infrastructure.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-8147. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation