Technical description
MLflow versions prior to 3.11.0 resolve environment variable references (e.g. $AWS_ACCESS_KEY_ID) embedded in the api_key field of AI Gateway secrets against the server's live environment and then forward the resolved values in provider authentication headers to the configured api_base URL. An attacker who can write a gateway secret — a low-privileged authenticated user in basic-auth deployments, or any unauthenticated user in default deployments — can set api_base to an attacker-controlled endpoint and exfiltrate server-side environment credentials, including AWS access keys and secrets used for model artifact storage, enabling artifact poisoning and cross-boundary code execution in downstream environments.
Attack vector
Unauthenticated (default deployment) or low-privilege authenticated (basic-auth deployment) write of a gateway secret with an attacker-controlled api_base URL and an env-var reference in the api_key field. MLflow's AI Gateway then forwards the resolved credential value on the next provider call.
Affected systems
MLflow AI Gateway, all versions prior to 3.11.0. Particularly high-risk in self-hosted deployments without basic-auth, which is the default configuration.
Mitigation
Upgrade to MLflow 3.11.0 immediately (patch commit 4a3f2f720cb4f058c9e0c5b883e0acc9ab64a7f3). If immediate upgrade is not possible, restrict gateway-secret write access to trusted administrators only and audit existing gateway secrets for env-var references pointing to attacker-reachable api_base URLs. Rotate any potentially exposed cloud credentials.