CVE-2026-2611: MLflow: cross-origin bypass enables RCE via AI agent

GHSA-67c5-x5mf-rppq CRITICAL CISA: ATTEND
Published May 19, 2026
CISO Take

MLflow 3.9.0's Assistant feature fails to validate request origins on its /ajax-api endpoints, allowing any malicious webpage to silently send cross-origin requests to a victim's locally-running MLflow instance and reconfigure the Assistant to grant itself full access — which the Claude Code sub-agent then leverages to execute arbitrary commands on the developer's machine. The blast radius is substantial: MLflow is the dominant ML experiment tracking platform in enterprise environments, and exploitation requires only that a data scientist or ML engineer with an active MLflow session visits an attacker-controlled page — a trivially low bar via phishing or a compromised third-party site. No public exploit is confirmed and the CVE is not in CISA KEV, but CWE-346 origin validation failures are consistently straightforward to weaponize once the API surface is mapped, and the payload (full local code execution on a developer workstation) is as severe as it gets. Upgrade to MLflow 3.10.0 immediately; if patching is blocked, disable the MLflow Assistant feature entirely or enforce network-level controls that prevent browser access to loopback MLflow instances from untrusted origins.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Effective severity is Critical despite the absent CVSS score. The attack chain is browser-initiated with no authentication required beyond the victim having MLflow running locally, and the end-state is arbitrary code execution on a developer workstation — a privileged position with access to model artifacts, training data, cloud credentials, and internal network resources. Developer machines in ML teams are high-value targets because they bridge data infrastructure, cloud APIs, and CI/CD pipelines. The loopback-only design of MLflow's Assistant endpoints was intended as a security boundary; this CVE demonstrates that browser-based cross-origin attacks routinely defeat loopback assumptions without user-visible interaction.

How does the attack unfold?

Drive-by Initial Access
Victim visits an attacker-controlled webpage (delivered via phishing or compromised site) which silently targets the victim's locally-running MLflow Assistant instance.
AML.T0078
Origin Validation Bypass
Malicious JavaScript sends cross-origin requests to MLflow's /ajax-api endpoints on localhost, bypassing the intended loopback-only restriction due to missing origin validation (CWE-346).
AML.T0049
Agent Configuration Modification
Attacker modifies the MLflow Assistant configuration via the unprotected API to enable full access mode, granting the sub-agent elevated capabilities.
AML.T0081
Arbitrary Code Execution via Sub-Agent
The reconfigured Claude Code sub-agent executes attacker-supplied commands on the victim's machine, achieving full local compromise with access to credentials, model artifacts, and connected infrastructure.
AML.T0112.000

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Claude Code npm No patch
134.7K Pushed 7d ago 73% patched ~2d to patch Full package profile →
MLflow pip = 3.9.0 3.10.0
26.7K OpenSSF 5.4 655 dependents Pushed 6d ago 31% patched ~76d to patch Full package profile →

How severe is it?

CVSS 3.1
9.6 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 29% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C High
I High
A High

What should I do?

6 steps
  1. Patch: Upgrade MLflow to 3.10.0 which resolves the origin validation flaw.

  2. Immediate workaround if patching is blocked: disable the MLflow Assistant feature in mlflow server configuration or set MLFLOW_ENABLE_ASSISTANT=false.

  3. Network control: configure browser Content Security Policy or local firewall rules to block cross-origin requests to 127.0.0.1/localhost from web contexts.

  4. Principle of least privilege: audit and restrict permissions granted to the Claude Code sub-agent within MLflow Assistant — ensure it does not have broad shell or file system access beyond what the Assistant feature requires.

  5. Detection: review MLflow /ajax-api access logs for unexpected Origin headers or configuration-change requests from non-interactive sessions.

  6. Scope assessment: audit all MLflow 3.9.0 instances across developer, staging, and CI/CD environments.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
8.4 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to respond to, recover from, and communicate about AI system incidents
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-2611?

MLflow 3.9.0's Assistant feature fails to validate request origins on its /ajax-api endpoints, allowing any malicious webpage to silently send cross-origin requests to a victim's locally-running MLflow instance and reconfigure the Assistant to grant itself full access — which the Claude Code sub-agent then leverages to execute arbitrary commands on the developer's machine. The blast radius is substantial: MLflow is the dominant ML experiment tracking platform in enterprise environments, and exploitation requires only that a data scientist or ML engineer with an active MLflow session visits an attacker-controlled page — a trivially low bar via phishing or a compromised third-party site. No public exploit is confirmed and the CVE is not in CISA KEV, but CWE-346 origin validation failures are consistently straightforward to weaponize once the API surface is mapped, and the payload (full local code execution on a developer workstation) is as severe as it gets. Upgrade to MLflow 3.10.0 immediately; if patching is blocked, disable the MLflow Assistant feature entirely or enforce network-level controls that prevent browser access to loopback MLflow instances from untrusted origins.

Is CVE-2026-2611 actively exploited?

No confirmed active exploitation of CVE-2026-2611 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2611?

1. Patch: Upgrade MLflow to 3.10.0 which resolves the origin validation flaw. 2. Immediate workaround if patching is blocked: disable the MLflow Assistant feature in mlflow server configuration or set MLFLOW_ENABLE_ASSISTANT=false. 3. Network control: configure browser Content Security Policy or local firewall rules to block cross-origin requests to 127.0.0.1/localhost from web contexts. 4. Principle of least privilege: audit and restrict permissions granted to the Claude Code sub-agent within MLflow Assistant — ensure it does not have broad shell or file system access beyond what the Assistant feature requires. 5. Detection: review MLflow /ajax-api access logs for unexpected Origin headers or configuration-change requests from non-interactive sessions. 6. Scope assessment: audit all MLflow 3.9.0 instances across developer, staging, and CI/CD environments.

What systems are affected by CVE-2026-2611?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, ML experiment tracking pipelines, Developer workstations running local MLflow instances, AI agent frameworks with local code execution, CI/CD pipelines using MLflow for model management.

What is the CVSS score for CVE-2026-2611?

CVE-2026-2611 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.37%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsML experiment tracking pipelinesDeveloper workstations running local MLflow instancesAI agent frameworks with local code executionCI/CD pipelines using MLflow for model management

MITRE ATLAS Techniques

AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0078 Drive-by Compromise
AML.T0081 Modify AI Agent Configuration
AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.

Exploitation Scenario

An attacker identifies that a target ML team uses MLflow (e.g., via job postings, GitHub repos, or LinkedIn). They send a spearphishing email to a data scientist with a link to a seemingly legitimate resource — a research paper, a Kaggle notebook, or a conference abstract. The malicious page loads silently and uses JavaScript to send cross-origin fetch requests to http://127.0.0.1:5000/ajax-api/2.0/mlflow-artifacts/mlflow-assistant/config, bypassing the intended loopback restriction due to missing origin validation. The attacker's payload modifies the Assistant configuration to enable full access mode. A subsequent cross-origin call instructs the Claude Code sub-agent — now operating with elevated permissions — to execute a reverse shell payload or exfiltrate ~/.aws/credentials and active environment variables. The entire chain completes in seconds with no visible indication to the victim, and the attacker gains persistent access to the developer's workstation and all its connected resources.

Weaknesses (CWE)

CWE-346 — Origin Validation Error: The product does not properly verify that the source of data or communication is valid.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Timeline

Published
May 19, 2026
Last Modified
June 27, 2026
First Seen
May 19, 2026

Related Vulnerabilities