Description
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.
Published: 2026-05-19
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the MLflow Assistant feature is a CWE‑346 Improper Origin Validation and also involves CWE‑940 Missing Encryption when Sending Sensitive Information, allowing a remote attacker to bypass the intended loopback‑only restriction on the /ajax‑api endpoints. By sending cross‑origin requests from a malicious web page, the attacker can alter the Assistant’s configuration to enable full access. Once privileged, the attacker can employ the Claude Code sub‑agent to execute arbitrary commands on the victim’s machine, leading to complete compromise of confidentiality, integrity, and availability.

Affected Systems

MLflow 3.9.0 is affected. The issue is fixed in version 3.10.0. No other versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 9.6 indicates high severity. The EPSS score of <1% indicates a very low but non‑zero likelihood of exploitation, and the vulnerability is not in the CISA KEV catalog. The likely attack vector is a remote attacker controlling a web page that performs cross‑origin AJAX requests to an MLflow instance running locally. If successful, the attacker can modify configuration and run arbitrary code via the Assistant’s sub‑agent. The lack of mitigation means the risk remains open until the patch is applied or a temporary workaround is enforced.

Generated by OpenCVE AI on May 28, 2026 at 02:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MLflow to version 3.10.0 or later.
  • If upgrading immediately is not possible, deny external access to the /ajax‑api endpoints or disable the MLflow Assistant feature entirely.
  • Restrict the MLflow deployment to trusted hosts or enforce authentication and CORS policies to prevent unauthenticated cross‑origin requests.

Generated by OpenCVE AI on May 28, 2026 at 02:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-67c5-x5mf-rppq MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution
History

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-940
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Critical

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Tue, 19 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.
Title Improper Origin Validation in mlflow/mlflow
Weaknesses CWE-346
References
Metrics cvssV3_0

{'score': 9.6, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-05-19T13:26:31.829Z

Reserved: 2026-02-17T02:36:47.412Z

Link: CVE-2026-2611

cve-icon Vulnrichment

Updated: 2026-05-19T13:26:28.318Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T10:16:22.983

Modified: 2026-05-22T21:00:30.900

Link: CVE-2026-2611

cve-icon Redhat

Severity : Critical

Publid Date: 2026-05-19T09:16:42Z

Links: CVE-2026-2611 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:04Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-940

    Improper Verification of Source of a Communication Channel