Publicly Accessible ZenML Control Plane Exposes Version, Infrastructure, and Operational Metadata
mark
Hi Team,
I'm mark security researcher this is low hanging bug but it's contains the information.
Summary
Two ZenML MLOps control-plane deployments are publicly accessible without authentication:
While sensitive API endpoints correctly enforce authentication (401 Unauthorized), multiple administrative and metadata endpoints remain accessible to anonymous users, including:
* ZenML Dashboard
* Swagger Documentation (/docs)
* OpenAPI Specification (/openapi.json)
* Health Endpoints
* Server Information Endpoint (/api/v1/info)
The exposed metadata reveals deployment details, exact ZenML versions, database backend configuration, authentication mechanisms, secrets-store implementation, environment names, and operational activity timestamps.
Although no customer data, secrets, pipelines, or user information were accessible during testing, this disclosure significantly reduces the effort required to fingerprint the infrastructure and identify version-specific attack paths against the MLOps platform.
Severity: Low (Information Disclosure)
Affected Assets
Proof of Concept
- Unauthenticated Server Information Disclosure
Request:
Response:
{
"name":"kadikoy",
"version":"0.90.0",
"deployment_type":"other",
"database_type":"mysql",
"secrets_store_type":"sql",
"auth_scheme":"OAUTH2_PASSWORD_BEARER",
"debug":false,
"analytics_enabled":true,
"last_user_activity":"2026-06-18T19:43:43"
}
The endpoint discloses:
* Exact ZenML version
* Deployment name
* Database backend
* Secrets-store implementation
* Authentication mechanism
* Debug configuration
* Operational activity timestamps
The staging environment exposes similar information, including a different version (0.91.0).
- Administrative Documentation Accessible Without Authentication
The following resources are accessible anonymously:
Observed:
200 OK /docs
200 OK /openapi.json
200 OK /health
200 OK /api/v1/info
This provides unauthenticated users with a complete API inventory and deployment metadata.
- Authentication Enforcement Verified
Sensitive API endpoints correctly require authentication:
Observed:
401 Unauthorized
No pipeline data, secrets, user records, or execution details were accessible.
Impact
Although authentication is correctly enforced for sensitive resources, the ZenML control plane remains fully discoverable from the public internet.
An unauthenticated attacker can:
* Fingerprint the exact ZenML versions deployed in production and staging.
* Identify backend technologies and infrastructure components.
* Determine authentication mechanisms and deployment architecture.
* Enumerate all available API routes through OpenAPI documentation.
* Verify that the platform is actively used through operational timestamps.
The disclosed version information enables rapid correlation against public ZenML vulnerabilities and security advisories, reducing the effort required to develop targeted attacks against the exposed login and API surface.
Additionally, publicly exposing an internal MLOps management platform unnecessarily increases attack surface and provides reconnaissance value that would otherwise be unavailable.
References
* GET /api/v1/info
* GET /docs
* GET /openapi.json
* GET /health
* Production: https://zenml.production.railway.sensay.io
* Staging: https://zenml.staging.railway.sensay.io