Skip to main content

Red Hat CVE-2026-33865

| EUVDEUVD-2026-19608 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 CERT-PL GHSA-fh64-r2vc-xvhr
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
4.6 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 07, 2026 - 13:00 euvd
EUVD-2026-19608
Analysis Generated
Apr 07, 2026 - 13:00 vuln.today
Patch released
Apr 07, 2026 - 13:00 nvd
Patch available
CVE Published
Apr 07, 2026 - 12:57 nvd
MEDIUM 5.1

DescriptionCVE.org

MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.

This issue affects MLflow version through 3.10.1

AnalysisAI

Stored cross-site scripting (XSS) in MLflow through version 3.10.1 allows authenticated attackers to inject malicious payloads via YAML-based MLmodel artifacts that execute when other users view the artifact in the web interface, enabling session hijacking or unauthorized actions on behalf of victims. CVSS 5.1 reflects low severity due to authentication requirement and user interaction; SSVC framework rates exploitation as none, automatable as no, and technical impact as partial. Upstream fix is available in a GitHub PR, though no formally released patched version has been independently confirmed from provided data.

Technical ContextAI

MLflow's web interface parses YAML-based MLmodel artifact metadata without proper sanitization before rendering it in the browser context. The vulnerability resides in how the application deserializes and displays user-supplied YAML content to other authenticated users, violating CWE-79 (Improper Neutralization of Input During Web Page Generation). YAML parsers can inadvertently execute embedded HTML/JavaScript if output is not escaped. The CPE cpe:2.3:a:mlflow:mlflow:*:*:*:*:*:*:*:* indicates the entire MLflow product line from version 0 through 3.10.1 is in scope. The attack vector is network-based (AV:N) with low complexity (AC:L), but requires low-privilege authentication (PR:L) and user interaction (UI:P) to trigger-a user must browse the artifacts section after an authenticated attacker uploads a malicious MLmodel file.

RemediationAI

Upstream fix available via GitHub pull request https://github.com/mlflow/mlflow/pull/21435; a formally released patched version number is not confirmed from provided data, so verify the latest stable MLflow release incorporates this PR. As an immediate mitigation, restrict upload permissions for MLmodel artifacts to trusted users only and educate team members not to click artifact links from untrusted sources. Monitor artifact upload logs for suspicious YAML payloads containing HTML/script tags. Implement Content Security Policy (CSP) headers in your MLflow deployment to restrict inline script execution in the web UI, which would limit the impact of any unpatched stored XSS.

Vendor StatusVendor

Share

CVE-2026-33865 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy