CVE-2026-2611: CWE-346 Origin Validation Error in mlflow mlflow/mlflow
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.
AI Analysis
Technical Summary
In MLflow 3.9.0, the MLflow Assistant's /ajax-api endpoints do not properly validate the origin of incoming requests. This origin validation error (CWE-346) allows remote attackers to bypass intended loopback-only restrictions by exploiting cross-origin requests from malicious web pages. By doing so, attackers can alter the Assistant's configuration to enable full access privileges. This elevated access permits execution of arbitrary commands through the Claude Code sub-agent, posing a critical security risk. The vulnerability is fixed in MLflow version 3.10.0.
Potential Impact
Successful exploitation allows remote attackers to bypass origin restrictions and gain full access to the MLflow Assistant configuration. This leads to arbitrary command execution on the victim's machine via the Claude Code sub-agent, compromising confidentiality, integrity, and availability of the affected system. The CVSS score of 9.6 reflects critical severity with network attack vector, no privileges required, user interaction needed, and scope change.
Mitigation Recommendations
Upgrade MLflow to version 3.10.0 or later, where this vulnerability is resolved. Since this is a self-hosted product and not a cloud service, applying the official fix is necessary to mitigate the risk. Patch status is not explicitly stated in the vendor advisory, but the description confirms resolution in version 3.10.0. Until upgrading, restrict access to the MLflow Assistant endpoints to trusted networks and users to reduce exposure.
CVE-2026-2611: CWE-346 Origin Validation Error in mlflow mlflow/mlflow
Description
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In MLflow 3.9.0, the MLflow Assistant's /ajax-api endpoints do not properly validate the origin of incoming requests. This origin validation error (CWE-346) allows remote attackers to bypass intended loopback-only restrictions by exploiting cross-origin requests from malicious web pages. By doing so, attackers can alter the Assistant's configuration to enable full access privileges. This elevated access permits execution of arbitrary commands through the Claude Code sub-agent, posing a critical security risk. The vulnerability is fixed in MLflow version 3.10.0.
Potential Impact
Successful exploitation allows remote attackers to bypass origin restrictions and gain full access to the MLflow Assistant configuration. This leads to arbitrary command execution on the victim's machine via the Claude Code sub-agent, compromising confidentiality, integrity, and availability of the affected system. The CVSS score of 9.6 reflects critical severity with network attack vector, no privileges required, user interaction needed, and scope change.
Mitigation Recommendations
Upgrade MLflow to version 3.10.0 or later, where this vulnerability is resolved. Since this is a self-hosted product and not a cloud service, applying the official fix is necessary to mitigate the risk. Patch status is not explicitly stated in the vendor advisory, but the description confirms resolution in version 3.10.0. Until upgrading, restrict access to the MLflow Assistant endpoints to trusted networks and users to reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2026-02-17T02:36:47.412Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0c3632ec166c07b08eb0ef
Added to database: 5/19/2026, 10:06:42 AM
Last enriched: 5/19/2026, 10:22:05 AM
Last updated: 5/20/2026, 6:01:51 PM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.