Publish Advisories

GHSA-75cm-x2w3-8mgf
GHSA-799f-29jm-gr6c

Author: advisory-database[bot]

…-75cm-x2w3-8mgf/GHSA-75cm-x2w3-8mgf.json …-75cm-x2w3-8mgf/GHSA-75cm-x2w3-8mgf.jsonadvisories/unreviewed/2026/05/GHSA-75cm-x2w3-8mgf/GHSA-75cm-x2w3-8mgf.json renamed to advisories/github-reviewed/2026/05/GHSA-75cm-x2w3-8mgf/GHSA-75cm-x2w3-8mgf.json advisories/unreviewed/2026/05/GHSA-75cm-x2w3-8mgf/GHSA-75cm-x2w3-8mgf.json renamed to advisories/github-reviewed/2026/05/GHSA-75cm-x2w3-8mgf/GHSA-75cm-x2w3-8mgf.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-75cm-x2w3-8mgf",
-  "modified": "2026-05-15T03:30:37Z",
+  "modified": "2026-05-21T19:35:52Z",
   "published": "2026-05-15T03:30:37Z",
   "aliases": [
     "CVE-2026-2652"
   ],
+  "summary": "MLflow: unauthenticated access to certain FastAPI routes",
   "details": "A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "mlflow"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.11.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/mlflow/mlflow/commit/bb62e773263c14e9ba4d1a82fe72d0de2442c6aa"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mlflow/mlflow"
+    },
     {
       "type": "WEB",
       "url": "https://huntr.com/bounties/5aeff5f0-49c7-4180-b5cb-c9a046f16756"
@@ -33,8 +58,8 @@
       "CWE-305"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-21T19:35:52Z",
     "nvd_published_at": "2026-05-15T03:16:23Z"
   }
 }

advisories/github-reviewed/2026/05/GHSA-799f-29jm-gr6c/GHSA-799f-29jm-gr6c.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-799f-29jm-gr6c",
+  "modified": "2026-05-21T19:38:00Z",
+  "published": "2026-05-21T19:38:00Z",
+  "aliases": [
+    "CVE-2026-46539"
+  ],
+  "summary": "nimiq-primitives: BlockInclusionProof interlink issue when hops are empty",
+  "details": "### Impact\nA logic flaw in `BlockInclusionProof::is_block_proven` causes the function to return true without performing any cryptographic verification when `get_interlink_hops` yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the election head's epoch. An attacker providing transaction inclusion proofs can forge a MacroBlock header for that epoch position and have it accepted as \"proven\" without any hash or signature verification.\n\n### Patches\n[The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3705) is formally released as part of [v1.4.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0).\n\n### Workarounds\nNo Workarounds\n\n### Resources\nSee [PR](https://github.com/nimiq/core-rs-albatross/pull/3705).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "nimiq-primitives"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-799f-29jm-gr6c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/pull/3705"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/commit/cc5a1d54bbbffd1ea975bd2ee87d5f7b3b30bbf1"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nimiq/core-rs-albatross"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-345"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-21T19:38:00Z",
+    "nvd_published_at": null
+  }
+}