Executive Summary
A critical cross-origin request forgery vulnerability (CVE-2026-2611) has been disclosed in MLflow version 3.9.0, carrying a CVSS score of 9.6. The flaw resides in the MLflow Assistant feature, which introduced improper origin validation in its /ajax-api endpoints.
A remote attacker can exploit this vulnerability by serving a malicious webpage that sends crafted cross-origin requests to a victim's locally running MLflow Assistant instance. This enables unauthorized interaction with the MLflow Assistant API on behalf of the authenticated user — without any credentials or special access.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-2611 |
| CVSS Score | 9.6 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required (victim visits malicious page) |
| Affected Version | MLflow 3.9.0 |
| Component | MLflow Assistant (/ajax-api endpoints) |
| Vulnerability Type | Improper Origin Validation / CSRF |
| Published | May 19, 2026 |
Affected Products
| Product | Version | Component | Status |
|---|---|---|---|
| MLflow | 3.9.0 | MLflow Assistant, /ajax-api | Vulnerable |
MLflow is a widely used open-source platform for managing the machine learning lifecycle — including experiment tracking, model registry, and now AI-assisted operations through the MLflow Assistant feature. It is commonly run locally by data scientists and ML engineers during development workflows.
Technical Analysis
Root Cause
The vulnerability was introduced with the MLflow Assistant feature in version 3.9.0. The Assistant feature exposes API functionality via /ajax-api endpoints intended to interact with the local MLflow server. However, these endpoints fail to properly validate the Origin header of incoming HTTP requests.
In standard web browser security, the Same-Origin Policy (SOP) prevents scripts on one domain from making requests to a different domain. However, if a server does not validate the Origin header and respond with appropriate CORS controls (Access-Control-Allow-Origin), a malicious page can still trigger state-changing requests to a same-machine service — a classic CSRF attack pattern.
Attack Scenario
1. Victim opens MLflow locally (http://localhost:5000) and is authenticated
2. Victim is lured to visit attacker-controlled webpage
3. Malicious page's JavaScript sends cross-origin requests to http://localhost:5000/ajax-api/...
4. MLflow 3.9.0 does not validate Origin header on /ajax-api endpoints
5. Browser attaches victim's session cookies/credentials to the request
6. Attacker can interact with MLflow Assistant on behalf of the victim
7. Possible actions: data exfiltration via AI queries, experiment manipulation, model accessWhy CVSS 9.6
| Metric | Value | Reason |
|---|---|---|
| Network reachable | AV:N | Exploited via malicious webpage, no local access needed |
| No auth required | PR:N | Attacker needs no credentials on the MLflow instance |
| Low complexity | AC:L | Standard CSRF technique, no complex conditions |
| High impact | C:H/I:H/A:H | Full interaction with victim's MLflow Assistant session |
Impact Assessment
| Impact Area | Description |
|---|---|
| AI Workflow Manipulation | Attacker can issue arbitrary queries to the MLflow Assistant on behalf of the victim |
| Data Exfiltration | AI Assistant interactions may reveal experiment data, model artifacts, or credentials stored in the MLflow context |
| Experiment Tampering | Depending on Assistant capabilities, attackers could alter tracked experiments or model registry entries |
| Credential Exposure | Local MLflow instances often have access to cloud storage credentials (S3, Azure, GCS) |
| Supply Chain Risk | MLflow is used in CI/CD and automated ML pipelines — compromised instances can affect downstream model deployments |
Remediation
Immediate Action: Upgrade MLflow
The vulnerability exists specifically in MLflow 3.9.0. Check for a patched release from the MLflow project:
# Check current MLflow version
python -c "import mlflow; print(mlflow.__version__)"
# Upgrade to the latest patched version
pip install --upgrade mlflow
# Verify version after upgrade
python -c "import mlflow; print(mlflow.__version__)"Mitigation: Restrict MLflow Network Access
While patching is the primary remediation, restrict MLflow's network exposure as an immediate safeguard:
# Launch MLflow bound to localhost only (prevents external access)
mlflow ui --host 127.0.0.1 --port 5000
# If using mlflow server
mlflow server --host 127.0.0.1 --port 5000Mitigation: Disable MLflow Assistant Feature
If the MLflow Assistant is not required, disable it to reduce the attack surface until a patch is applied.
Network Controls
# Block external access to MLflow port via firewall
# iptables example (Linux)
iptables -A INPUT -p tcp --dport 5000 ! -s 127.0.0.1 -j DROP
# Confirm MLflow is only listening on loopback
ss -tlnp | grep 5000Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected cross-origin requests in MLflow access logs | Possible CSRF exploitation attempt |
Unusual queries to /ajax-api endpoints | Investigate source origin |
| MLflow Assistant API calls from non-localhost origins | Potential active exploitation |
| Unexpected model registry changes or experiment deletions | Post-exploitation manipulation |
Post-Remediation Checklist
- Upgrade MLflow from 3.9.0 to a patched version as soon as available
- Restrict MLflow to bind to
127.0.0.1if not already - Audit MLflow access logs for suspicious cross-origin requests
- Review experiment history and model registry for unauthorized changes
- Rotate any cloud storage credentials accessible to the MLflow instance
- Evaluate MLflow Assistant necessity — disable if unused
- Implement network-level firewall rules to block external MLflow access