Description
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.


This issue affects MLflow version through 3.10.1
Published: 2026-04-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to model artifacts via missing access control
Action: Patch
AI Analysis

Impact

The vulnerability enables a user who lacks permission to an experiment to retrieve model artifacts through an unsecured AJAX endpoint. Because the application omits required authorization checks, attackers can access confidential data that should be protected, aligning with CWE‑862.

Affected Systems

MLflow releases up through version 3.10.1 are affected. All builds of the MLflow product distributed by the Mlflow vendor fall into this range.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the issue is not listed in the CISA KEV catalogue. No EPSS score is reported. An attacker can exploit the flaw by issuing an HTTP request to the AJAX endpoint while authenticated with any user account that does not have experiment‑level permissions. The exploit requires no special privileges beyond network access to the MLflow server, making it likely to be performed from an internal network or any system that can reach the endpoint.

Generated by OpenCVE AI on April 7, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version newer than 3.10.1 that contains the fix for the missing authorization check.
  • Verify that the Ajax download endpoint no longer returns artifacts to users without proper experiment permissions.
  • Implement least‑privilege user roles and regularly audit permissions to prevent unauthorized access.

Generated by OpenCVE AI on April 7, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-46r5-x6jq-v8g6 MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint
History

Mon, 20 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow
Vendors & Products Mlflow
Mlflow mlflow

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1
Title Authorization Bypass in MLflow AJAX Endpoint
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-14T15:12:44.168Z

Reserved: 2026-03-24T13:13:32.905Z

Link: CVE-2026-33866

cve-icon Vulnrichment

Updated: 2026-04-07T13:05:41.111Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T13:16:47.000

Modified: 2026-04-20T18:45:16.500

Link: CVE-2026-33866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:31Z

Weaknesses