Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
AnalysisAI
Stored cross-site scripting (XSS) in MLflow through version 3.10.1 allows authenticated attackers to inject malicious payloads via YAML-based MLmodel artifacts that execute when other users view the artifact in the web interface, enabling session hijacking or unauthorized actions on behalf of victims. CVSS 5.1 reflects low severity due to authentication requirement and user interaction; SSVC framework rates exploitation as none, automatable as no, and technical impact as partial. Upstream fix is available in a GitHub PR, though no formally released patched version has been independently confirmed from provided data.
Technical ContextAI
MLflow's web interface parses YAML-based MLmodel artifact metadata without proper sanitization before rendering it in the browser context. The vulnerability resides in how the application deserializes and displays user-supplied YAML content to other authenticated users, violating CWE-79 (Improper Neutralization of Input During Web Page Generation). YAML parsers can inadvertently execute embedded HTML/JavaScript if output is not escaped. The CPE cpe:2.3:a:mlflow:mlflow:*:*:*:*:*:*:*:* indicates the entire MLflow product line from version 0 through 3.10.1 is in scope. The attack vector is network-based (AV:N) with low complexity (AC:L), but requires low-privilege authentication (PR:L) and user interaction (UI:P) to trigger-a user must browse the artifacts section after an authenticated attacker uploads a malicious MLmodel file.
RemediationAI
Upstream fix available via GitHub pull request https://github.com/mlflow/mlflow/pull/21435; a formally released patched version number is not confirmed from provided data, so verify the latest stable MLflow release incorporates this PR. As an immediate mitigation, restrict upload permissions for MLmodel artifacts to trusted users only and educate team members not to click artifact links from untrusted sources. Monitor artifact upload logs for suspicious YAML payloads containing HTML/script tags. Implement Content Security Policy (CSP) headers in your MLflow deployment to restrict inline script execution in the web UI, which would limit the impact of any unpatched stored XSS.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19608
GHSA-fh64-r2vc-xvhr