Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from Vendor (huntr_ai).
CVSS VectorVendor: huntr_ai
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 4 pypi packages depend on mlflow (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.9.0.
DescriptionCVE.org
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.
AnalysisAI
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protections on /ajax-api endpoints when a victim visits a malicious webpage, ultimately achieving arbitrary command execution through the Claude Code sub-agent. The flaw stems from improper origin validation (CWE-346) and is fixed in version 3.10.0; no public exploit identified at time of analysis, though a detailed huntr.com report and an upstream commit are publicly available.
Technical ContextAI
MLflow is a widely used open-source platform for managing the machine learning lifecycle (experiments, model registry, deployment). The vulnerable component is the FastAPI-based MLflow server (mlflow/server/fastapi_security.py), specifically its CORS handling for the /ajax-api/* path prefix introduced for the MLflow Assistant. The root cause is CWE-346 (Origin Validation Error): the server was configured with allow_origins=['*'] and the CORS-blocking middleware's is_api_endpoint check only enforced restrictions on the /api/ prefix, leaving /ajax-api/ unprotected. Because the MLflow Assistant integrates with the Claude Code sub-agent - which can execute shell commands - bypassing the same-origin protection on the Assistant's configuration endpoint translates a CORS bug into full RCE on the user's host. The patch (commit 8f9c8a5) adds AJAX_API_PATH_PREFIX to is_api_endpoint and replaces the wildcard with a LOCALHOST_ORIGIN_PATTERNS regex plus an explicit allow-list.
RemediationAI
Vendor-released patch: upgrade MLflow to 3.10.0 or later, which adds AJAX_API_PATH_PREFIX to the CORS-blocked endpoint list and replaces the wildcard allow_origins with an explicit localhost regex and configurable allow-list (commit 8f9c8a53af90842944101eb8b7d60706822c81bc). If immediate upgrade is not possible, disable the MLflow Assistant feature so the /ajax-api endpoints cannot be abused to reconfigure it, and avoid running mlflow server on the same host where users browse untrusted web content; binding the server to a non-default loopback port or behind an authenticating reverse proxy that enforces strict Origin/Referer checks also reduces exposure, with the trade-off of breaking legitimate UI access until reconfigured. Review the huntr writeup (https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a) for indicators and confirm any internal MLflow images are rebuilt against 3.10.0.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated
Same weakness CWE-346 – Origin Validation Error
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30853
GHSA-67c5-x5mf-rppq