Description
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.
Published: 2026-05-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Server‑Side Request Forgery flaw exists in MLflow versions earlier than 3.9.0. The _create_webhook() routine accepts a user‑supplied url argument without validation; this url is later handed directly to _send_webhook_request() which posts to the chosen address. Consequently, an attacker who can create a webhook can instruct the MLflow server to send HTTP requests to arbitrary URLs, including internal network resources, cloud metadata services, or external domains. The lack of input sanitization, scheme filtering, or allow‑list validation means that the attacker can easily request cloud‑credential endpoints, potentially enabling credential theft, internal reconnaissance, and data exfiltration. }

Affected Systems

The vulnerability affects the mlflow/sdk and web backend component, officially identified as mlflow:mlflow/mlflow. Any deployment running MLflow 3.8.x or earlier is susceptible; version 3.9.0 and later contain the fix. Endpoints that expose the webhook create handler are the attack vector. }

Risk and Exploitability

The calculated CVSS base score of 7.1 classifies this flaw as a high‑severity vulnerability. No EPSS data is available, yet the attack requires only an authenticated user with permission to create a webhook, a common privilege in many MLflow installations. Since the flaw is not listed in the CISA KEV catalog, there is no current evidence of active exploitation, but the nature of SSRF makes it attractive for attackers seeking cloud‑metadata access. The attacker could feasibly learn internal IP addresses, request instance metadata, and use that to obtain access keys or tokens, leading to further compromise.

Generated by OpenCVE AI on May 11, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MLflow to version 3.9.0 or newer where the _create_webhook() parameter is validated and restricted
  • If immediate upgrade is not possible, tightly restrict outbound HTTP traffic from the MLflow server by firewall rules or network segmentation so that only approved destinations are reachable
  • Disable the webhook creation endpoint or remove unauthenticated access to the MLflow web UI until a patched version is deployed

Generated by OpenCVE AI on May 11, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.
Title Server-Side Request Forgery (SSRF) in mlflow/mlflow
Weaknesses CWE-918
References
Metrics cvssV3_0

{'score': 7.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-05-11T18:52:41.710Z

Reserved: 2026-02-12T09:36:06.051Z

Link: CVE-2026-2393

cve-icon Vulnrichment

Updated: 2026-05-11T18:52:37.406Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:31.500

Modified: 2026-05-11T20:25:41.320

Link: CVE-2026-2393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:30:05Z

Weaknesses