Description
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.

This issue affects MLflow version through 3.10.1
Published: 2026-04-07
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via unsafe YAML parsing in MLflow
Action: Patch Immediately
AI Analysis

Impact

MLflow’s web interface processes user‑supplied MLmodel files described in YAML. An authenticated attacker can embed a malicious script inside such a file. When another user opens the artifact in the UI, the embedded code runs in that user’s browser, enabling session hijacking or unauthorized actions on their behalf. This is a classic Cross‑Site Scripting vulnerability that can compromise confidentiality, integrity and availability for all users who view the artifact.

Affected Systems

The vulnerability exists in all released versions of MLflow up to and including 3.10.1. The affected product is the MLflow tooling used to manage model artifacts and serve the web interface.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. Exploitation requires only that the attacker be authenticated to the system so they can upload the malicious artifact, and a second user must subsequently view it in the UI. Because the EPSS score is not available and the issue is not listed in CISA’s KEV catalog, the overall threat rating is moderate but still actionable.

Generated by OpenCVE AI on April 7, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MLflow to version 3.10.2 or later, which contains a safe YAML parsing fix.
  • If an upgrade is not immediately feasible, restrict or revoke upload permissions for users who can add MLmodel files, or disable the upload feature until a patch is applied.
  • Monitor logs for unusual upload activity and verify that no untrusted YAML files are being processed.

Generated by OpenCVE AI on April 7, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fh64-r2vc-xvhr MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
History

Mon, 20 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow
Vendors & Products Mlflow
Mlflow mlflow

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1
Title Stored XSS via unsafe YAML parsing in MLflow
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-14T15:13:57.547Z

Reserved: 2026-03-24T13:13:32.905Z

Link: CVE-2026-33865

cve-icon Vulnrichment

Updated: 2026-04-07T13:10:10.733Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T13:16:46.840

Modified: 2026-04-20T18:44:12.623

Link: CVE-2026-33865

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:32Z

Weaknesses