MLflow versions before 3.9.0 contain an SSRF vulnerability (CWE-918) due to insufficient validation of a user-controlled URL parameter in webhook creation. The _create_webhook() function in mlflow/server/handlers.py accepts an attacker-controlled URL without sanitization or allowlist filtering. Subsequently, _send_webhook_request() in mlflow/webhooks/delivery.py issues HTTP POST requests to this URL. This flaw enables authenticated attackers to coerce the MLflow backend into making arbitrary HTTP requests to internal network services, cloud metadata endpoints, or external servers. The vulnerability can lead to exposure of sensitive internal resources or cloud credentials. The CVSS 3.0 base score is 7.1 (High), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high confidentiality impact. No vendor advisory or patch information is currently available, and the affected versions are unspecified but prior to 3.9.0.

An authenticated attacker can exploit this SSRF vulnerability to cause the MLflow backend to send HTTP requests to arbitrary URLs. This may result in unauthorized access to internal services, cloud metadata endpoints, or external systems, potentially leading to cloud credential theft, internal network reconnaissance, or data exfiltration. The confidentiality impact is high, while integrity impact is low and availability impact is none, per the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to MLflow backend interfaces to trusted users only, and monitor for suspicious webhook creation activity. Avoid exposing MLflow services to untrusted networks. Implement network-level controls to restrict outbound HTTP requests from the MLflow server to only necessary destinations.