Skip to main content

MLflow EUVDEUVD-2026-30853

| CVE-2026-2611 CRITICAL
Origin Validation Error (CWE-346)
2026-05-19 @huntr_ai GHSA-67c5-x5mf-rppq
9.6
CVSS 3.1 · Vendor: huntr_ai
Share

Severity by source

Vendor (huntr_ai) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Red Hat
9.6 CRITICAL
qualitative

Primary rating from Vendor (huntr_ai).

CVSS VectorVendor: huntr_ai

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 19, 2026 - 11:16 EUVD
Source Code Evidence Fetched
May 19, 2026 - 10:45 vuln.today
Analysis Generated
May 19, 2026 - 10:45 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on mlflow (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.9.0.

DescriptionCVE.org

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.

AnalysisAI

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protections on /ajax-api endpoints when a victim visits a malicious webpage, ultimately achieving arbitrary command execution through the Claude Code sub-agent. The flaw stems from improper origin validation (CWE-346) and is fixed in version 3.10.0; no public exploit identified at time of analysis, though a detailed huntr.com report and an upstream commit are publicly available.

Technical ContextAI

MLflow is a widely used open-source platform for managing the machine learning lifecycle (experiments, model registry, deployment). The vulnerable component is the FastAPI-based MLflow server (mlflow/server/fastapi_security.py), specifically its CORS handling for the /ajax-api/* path prefix introduced for the MLflow Assistant. The root cause is CWE-346 (Origin Validation Error): the server was configured with allow_origins=['*'] and the CORS-blocking middleware's is_api_endpoint check only enforced restrictions on the /api/ prefix, leaving /ajax-api/ unprotected. Because the MLflow Assistant integrates with the Claude Code sub-agent - which can execute shell commands - bypassing the same-origin protection on the Assistant's configuration endpoint translates a CORS bug into full RCE on the user's host. The patch (commit 8f9c8a5) adds AJAX_API_PATH_PREFIX to is_api_endpoint and replaces the wildcard with a LOCALHOST_ORIGIN_PATTERNS regex plus an explicit allow-list.

RemediationAI

Vendor-released patch: upgrade MLflow to 3.10.0 or later, which adds AJAX_API_PATH_PREFIX to the CORS-blocked endpoint list and replaces the wildcard allow_origins with an explicit localhost regex and configurable allow-list (commit 8f9c8a53af90842944101eb8b7d60706822c81bc). If immediate upgrade is not possible, disable the MLflow Assistant feature so the /ajax-api endpoints cannot be abused to reconfigure it, and avoid running mlflow server on the same host where users browse untrusted web content; binding the server to a non-default loopback port or behind an authenticating reverse proxy that enforces strict Origin/Referer checks also reduces exposure, with the trade-off of breaking legitimate UI access until reconfigured. Review the huntr writeup (https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a) for indicators and confirm any internal MLflow images are rebuilt against 3.10.0.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

CVE-2025-15381 HIGH
7.1 Mar 27

MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated

Vendor StatusVendor

Share

EUVD-2026-30853 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy