MLflow, Improper Origin Validation, CVE-2026-2611 (Critical)

Listen to this Post

The vulnerability resides in the MLflow Assistant feature introduced in version 3.9.0. The Assistant’s `/ajax-api` endpoints failed to implement proper origin validation, specifically omitting a cross-origin resource sharing (CORS) check that should have restricted requests to only those originating from the same loopback interface. Because of this flaw, an attacker controlling a malicious website can send arbitrary cross-origin requests to a victim’s locally running MLflow instance. When the victim visits the attacker’s page, the victim’s browser issues these unauthorized requests to localhost. The server processes them due to the missing origin validation, allowing the attacker to bypass the intended loopback-only restriction. Once the restriction is bypassed, the attacker can modify the Assistant’s configuration to grant full access. With the configuration altered, the attacker can then instruct the Assistant’s Claude Code sub-agent to execute arbitrary operating system commands. In summary, the chain is: No CORS check → Cross-origin request bypass → Configuration tampering → Remote code execution via Claude Code. The issue is fixed in MLflow version 3.10.0, which adds proper origin validation to these endpoints.

dailycve form:

Platform: MLflow
Version: 3.9.0
Vulnerability: Improper Origin Validation
Severity: Critical
date: 2026-05-19
Prediction: 2026-07-01

What Undercode Say:

Check MLflow version
mlflow --version
Exploit simulation (educational only)
curl -X POST http://localhost:5000/ajax-api/configure \
-H "Origin: https://attacker.com" \
-d '{"config": "full_access"}'
Verify fix after upgrade to 3.10.0
pip install mlflow==3.10.0
mlflow --version

Exploit:

A remote attacker hosts a malicious webpage with JavaScript that sends cross-origin POST requests to `http://localhost:5000/ajax-api/configure`. When a victim visits, the browser executes the script, changing the Assistant’s settings to allow full access and subsequently executing arbitrary commands via the Claude Code sub-agent.

Protection from this CVE:

  • Upgrade MLflow to version 3.10.0 or later immediately.
  • If immediate upgrade is not possible, block all external access to the MLflow Tracking Server and restrict the `/ajax-api` endpoints to localhost using a firewall or reverse proxy.
  • Monitor logs for suspicious cross-origin requests or unauthorized configuration changes.

Impact:

Full remote code execution (RCE) on the victim’s machine. An attacker can read, modify, or delete any file accessible to the MLflow process, install backdoors, pivot to internal networks, or use the compromised host for further attacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top