CVE-2026-2611 — AWAITING NVD

CISO Take

MLflow 3.9.0's Assistant feature fails to validate request origins on its /ajax-api endpoints, allowing any malicious webpage to silently send cross-origin requests to a victim's locally-running MLflow instance and reconfigure the Assistant to grant itself full access — which the Claude Code sub-agent then leverages to execute arbitrary commands on the developer's machine. The blast radius is substantial: MLflow is the dominant ML experiment tracking platform in enterprise environments, and exploitation requires only that a data scientist or ML engineer with an active MLflow session visits an attacker-controlled page — a trivially low bar via phishing or a compromised third-party site. No public exploit is confirmed and the CVE is not in CISA KEV, but CWE-346 origin validation failures are consistently straightforward to weaponize once the API surface is mapped, and the payload (full local code execution on a developer workstation) is as severe as it gets. Upgrade to MLflow 3.10.0 immediately; if patching is blocked, disable the MLflow Assistant feature entirely or enforce network-level controls that prevent browser access to loopback MLflow instances from untrusted origins.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Effective severity is Critical despite the absent CVSS score. The attack chain is browser-initiated with no authentication required beyond the victim having MLflow running locally, and the end-state is arbitrary code execution on a developer workstation — a privileged position with access to model artifacts, training data, cloud credentials, and internal network resources. Developer machines in ML teams are high-value targets because they bridge data infrastructure, cloud APIs, and CI/CD pipelines. The loopback-only design of MLflow's Assistant endpoints was intended as a security boundary; this CVE demonstrates that browser-based cross-origin attacks routinely defeat loopback assumptions without user-visible interaction.

Attack Kill Chain

Drive-by Initial Access

Victim visits an attacker-controlled webpage (delivered via phishing or compromised site) which silently targets the victim's locally-running MLflow Assistant instance.

AML.T0078

Origin Validation Bypass

Malicious JavaScript sends cross-origin requests to MLflow's /ajax-api endpoints on localhost, bypassing the intended loopback-only restriction due to missing origin validation (CWE-346).

AML.T0049

Agent Configuration Modification

Attacker modifies the MLflow Assistant configuration via the unprotected API to enable full access mode, granting the sub-agent elevated capabilities.

AML.T0081

Arbitrary Code Execution via Sub-Agent

The reconfigured Claude Code sub-agent executes attacker-supplied commands on the victim's machine, achieving full local compromise with access to credentials, model artifacts, and connected infrastructure.

AML.T0112.000

Drive-by Initial Access

Victim visits an attacker-controlled webpage (delivered via phishing or compromised site) which silently targets the victim's locally-running MLflow Assistant instance.

AML.T0078

Origin Validation Bypass

Malicious JavaScript sends cross-origin requests to MLflow's /ajax-api endpoints on localhost, bypassing the intended loopback-only restriction due to missing origin validation (CWE-346).

AML.T0049

Agent Configuration Modification

Attacker modifies the MLflow Assistant configuration via the unprotected API to enable full access mode, granting the sub-agent elevated capabilities.

AML.T0081

Arbitrary Code Execution via Sub-Agent

The reconfigured Claude Code sub-agent executes attacker-supplied commands on the victim's machine, achieving full local compromise with access to credentials, model artifacts, and connected infrastructure.

AML.T0112.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
claude-code	npm	—	No patch
124.2K Pushed 4d ago 36% patched ~0d to patch Full package profile →
mlflow	pip	—	No patch
26.0K OpenSSF 4.6 636 dependents Pushed 3d ago 26% patched ~58d to patch Full package profile →

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Patch: Upgrade MLflow to 3.10.0 which resolves the origin validation flaw.
Immediate workaround if patching is blocked: disable the MLflow Assistant feature in mlflow server configuration or set MLFLOW_ENABLE_ASSISTANT=false.
Network control: configure browser Content Security Policy or local firewall rules to block cross-origin requests to 127.0.0.1/localhost from web contexts.
Principle of least privilege: audit and restrict permissions granted to the Claude Code sub-agent within MLflow Assistant — ensure it does not have broad shell or file system access beyond what the Assistant feature requires.
Detection: review MLflow /ajax-api access logs for unexpected Origin headers or configuration-change requests from non-interactive sessions.
Scope assessment: audit all MLflow 3.9.0 instances across developer, staging, and CI/CD environments.

Classification

Auth Bypass Code Execution Agent Framework AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0078 - Drive-by Compromise AML.T0081 - Modify AI Agent Configuration AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

8.4 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to respond to, recover from, and communicate about AI system incidents

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-2611?

MLflow 3.9.0's Assistant feature fails to validate request origins on its /ajax-api endpoints, allowing any malicious webpage to silently send cross-origin requests to a victim's locally-running MLflow instance and reconfigure the Assistant to grant itself full access — which the Claude Code sub-agent then leverages to execute arbitrary commands on the developer's machine. The blast radius is substantial: MLflow is the dominant ML experiment tracking platform in enterprise environments, and exploitation requires only that a data scientist or ML engineer with an active MLflow session visits an attacker-controlled page — a trivially low bar via phishing or a compromised third-party site. No public exploit is confirmed and the CVE is not in CISA KEV, but CWE-346 origin validation failures are consistently straightforward to weaponize once the API surface is mapped, and the payload (full local code execution on a developer workstation) is as severe as it gets. Upgrade to MLflow 3.10.0 immediately; if patching is blocked, disable the MLflow Assistant feature entirely or enforce network-level controls that prevent browser access to loopback MLflow instances from untrusted origins.

Is CVE-2026-2611 actively exploited?

No confirmed active exploitation of CVE-2026-2611 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2611?

1. Patch: Upgrade MLflow to 3.10.0 which resolves the origin validation flaw. 2. Immediate workaround if patching is blocked: disable the MLflow Assistant feature in mlflow server configuration or set MLFLOW_ENABLE_ASSISTANT=false. 3. Network control: configure browser Content Security Policy or local firewall rules to block cross-origin requests to 127.0.0.1/localhost from web contexts. 4. Principle of least privilege: audit and restrict permissions granted to the Claude Code sub-agent within MLflow Assistant — ensure it does not have broad shell or file system access beyond what the Assistant feature requires. 5. Detection: review MLflow /ajax-api access logs for unexpected Origin headers or configuration-change requests from non-interactive sessions. 6. Scope assessment: audit all MLflow 3.9.0 instances across developer, staging, and CI/CD environments.

What systems are affected by CVE-2026-2611?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, ML experiment tracking pipelines, Developer workstations running local MLflow instances, AI agent frameworks with local code execution, CI/CD pipelines using MLflow for model management.

What is the CVSS score for CVE-2026-2611?

No CVSS score has been assigned yet.

Technical Details

NVD Description

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.

Exploitation Scenario

An attacker identifies that a target ML team uses MLflow (e.g., via job postings, GitHub repos, or LinkedIn). They send a spearphishing email to a data scientist with a link to a seemingly legitimate resource — a research paper, a Kaggle notebook, or a conference abstract. The malicious page loads silently and uses JavaScript to send cross-origin fetch requests to http://127.0.0.1:5000/ajax-api/2.0/mlflow-artifacts/mlflow-assistant/config, bypassing the intended loopback restriction due to missing origin validation. The attacker's payload modifies the Assistant configuration to enable full access mode. A subsequent cross-origin call instructs the Claude Code sub-agent — now operating with elevated permissions — to execute a reverse shell payload or exfiltrate ~/.aws/credentials and active environment variables. The entire chain completes in seconds with no visible indication to the victim, and the attacker gains persistent access to the developer's workstation and all its connected resources.