Description
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.
Published: 2026-05-19
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the MLflow Assistant feature is a CWE‑346 Improper Origin Validation that allows a remote attacker to bypass the intended loopback‑only restriction on the /ajax‑api endpoints. By sending cross‑origin requests from a malicious web page, the attacker can alter the Assistant’s configuration to enable full access. Once privileged, the attacker can employ the Claude Code sub‑agent to execute arbitrary commands on the victim’s machine, leading to complete compromise of confidentiality, integrity, and availability.

Affected Systems

MLflow 3.9.0 is affected. The issue is fixed in version 3.10.0. No other versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 9.6 indicates high severity. EPSS is unavailable and the vulnerability is not in the CISA KEV catalog. The likely attack vector is a remote attacker controlling a web page that performs cross‑origin AJAX requests to an MLflow instance running locally. If successful, the attacker can modify configuration and run arbitrary code via the Assistant’s sub‑agent. The lack of mitigation means the risk remains open until the patch is applied or a temporary workaround is enforced.

Generated by OpenCVE AI on May 19, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MLflow to version 3.10.0 or later.
  • If upgrading immediately is not possible, deny external access to the /ajax‑api endpoints or disable the MLflow Assistant feature entirely.
  • Restrict the MLflow deployment to trusted hosts or enforce authentication and CORS policies to prevent unauthenticated cross‑origin requests.

Generated by OpenCVE AI on May 19, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.
Title Improper Origin Validation in mlflow/mlflow
Weaknesses CWE-346
References
Metrics cvssV3_0

{'score': 9.6, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-05-19T13:26:31.829Z

Reserved: 2026-02-17T02:36:47.412Z

Link: CVE-2026-2611

cve-icon Vulnrichment

Updated: 2026-05-19T13:26:28.318Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T10:16:22.983

Modified: 2026-05-19T15:03:31.370

Link: CVE-2026-2611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T13:00:05Z

Weaknesses