CVE-2026-33865 — MEDIUM | AI Threat Alert

Q: Is CVE-2026-33865 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-33865, increasing the risk of exploitation.

Q: How to fix CVE-2026-33865?

1. Patch: Upgrade MLflow beyond 3.10.1 as soon as a fixed release is available — monitor GitHub PR #21435 for merge and release status. 2. Restrict permissions: Limit MLmodel artifact upload rights to trusted, vetted principals; review current contributor lists. 3. Network isolation: Ensure MLflow UI is not exposed to untrusted networks; require VPN or internal-only access. 4. Content Security Policy: Enforce a strict CSP header on the MLflow server to block exfiltration to external domains even if XSS fires. 5. Detection: Monitor web server logs for unexpected outbound requests from the MLflow process; alert on unusual session behavior for admin accounts. 6. Workaround: If immediate patching is not feasible, disable artifact UI access for untrusted users or restrict the feature until a fix is applied.

Q: What systems are affected by CVE-2026-33865?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, ML experiment tracking, training pipelines.

Q: What is the CVSS score for CVE-2026-33865?

No CVSS score has been assigned yet.

CISO Take

MLflow's web interface fails to sanitize YAML-based MLmodel artifact files, allowing an authenticated attacker to embed JavaScript payloads that silently execute in any user's browser when they view the artifact in the UI. In organizations where MLflow is shared across data science teams — the norm, not the exception — a compromised low-privilege contributor account is sufficient to hijack the session of an ML engineer or platform administrator who reviews model artifacts as part of routine operations. While no public exploit or CISA KEV listing exists for this CVE, the authenticated-access barrier is low in collaborative MLOps environments where many contributors hold upload rights. Upgrade beyond MLflow 3.10.1 once a patched release ships (track GitHub PR #21435), restrict artifact upload permissions to vetted principals, and enforce a Content Security Policy on all MLflow deployments as an immediate compensating control.

Sources: NVD ATLAS cert.pl

What is the risk?

Medium-High within AI/ML environments. The authentication prerequisite lowers immediate blast radius, but MLflow instances are routinely shared across data science teams with broad contributor access, making the effective barrier to exploitation low in practice. Session hijacking via stored XSS can escalate to full MLflow admin access, enabling model registry manipulation or lateral movement into connected ML infrastructure. No CVSS score or EPSS data is available given the CVE's recency, but CWE-79 in a shared-access MLOps platform with insider-threat relevance warrants prompt remediation.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	<= 3.10.1	`3.11.1`
26.0K OpenSSF 4.6 636 dependents Pushed 5d ago 27% patched ~55d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

What should I do?

6 steps

Patch: Upgrade MLflow beyond 3.10.1 as soon as a fixed release is available — monitor GitHub PR #21435 for merge and release status.
Restrict permissions: Limit MLmodel artifact upload rights to trusted, vetted principals; review current contributor lists.
Network isolation: Ensure MLflow UI is not exposed to untrusted networks; require VPN or internal-only access.
Content Security Policy: Enforce a strict CSP header on the MLflow server to block exfiltration to external domains even if XSS fires.
Detection: Monitor web server logs for unexpected outbound requests from the MLflow process; alert on unusual session behavior for admin accounts.
Workaround: If immediate patching is not feasible, disable artifact UI access for untrusted users or restrict the feature until a fix is applied.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Data Extraction Framework Model AML.T0011.000 - Unsafe AI Artifacts AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

Section 6.2 - AI system design and development security

NIST AI RMF

GOVERN-1.7 - Processes and safeguards for AI risk accountability MANAGE-2.4 - Residual risks and vulnerability response

Frequently Asked Questions

What is CVE-2026-33865?

MLflow's web interface fails to sanitize YAML-based MLmodel artifact files, allowing an authenticated attacker to embed JavaScript payloads that silently execute in any user's browser when they view the artifact in the UI. In organizations where MLflow is shared across data science teams — the norm, not the exception — a compromised low-privilege contributor account is sufficient to hijack the session of an ML engineer or platform administrator who reviews model artifacts as part of routine operations. While no public exploit or CISA KEV listing exists for this CVE, the authenticated-access barrier is low in collaborative MLOps environments where many contributors hold upload rights. Upgrade beyond MLflow 3.10.1 once a patched release ships (track GitHub PR #21435), restrict artifact upload permissions to vetted principals, and enforce a Content Security Policy on all MLflow deployments as an immediate compensating control.

Is CVE-2026-33865 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-33865, increasing the risk of exploitation.

How to fix CVE-2026-33865?

1. Patch: Upgrade MLflow beyond 3.10.1 as soon as a fixed release is available — monitor GitHub PR #21435 for merge and release status. 2. Restrict permissions: Limit MLmodel artifact upload rights to trusted, vetted principals; review current contributor lists. 3. Network isolation: Ensure MLflow UI is not exposed to untrusted networks; require VPN or internal-only access. 4. Content Security Policy: Enforce a strict CSP header on the MLflow server to block exfiltration to external domains even if XSS fires. 5. Detection: Monitor web server logs for unexpected outbound requests from the MLflow process; alert on unusual session behavior for admin accounts. 6. Workaround: If immediate patching is not feasible, disable artifact UI access for untrusted users or restrict the feature until a fix is applied.

What systems are affected by CVE-2026-33865?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, ML experiment tracking, training pipelines.

What is the CVSS score for CVE-2026-33865?

No CVSS score has been assigned yet.

Technical Details

NVD Description

MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1

Exploitation Scenario

An attacker holding any MLflow contributor account crafts a malicious MLmodel YAML file embedding a JavaScript payload — for example, a script that exfiltrates the victim's session cookie to an attacker-controlled server via a fetch() call. They register this as a new model version attached to a legitimate-looking experiment. When an MLflow administrator performs a routine artifact review in the web UI, the payload executes silently in their browser. The attacker receives the admin session token, authenticates as admin, and can promote malicious model versions to production, exfiltrate all registered models and experiment data, or alter training run configurations for downstream pipeline compromise.