CVE-2026-33865: MLflow: stored XSS via MLmodel YAML artifact upload

UNKNOWN

Published April 7, 2026

CISO Take

MLflow's web interface fails to sanitize YAML-based MLmodel artifact files, allowing an authenticated attacker to embed JavaScript payloads that silently execute in any user's browser when they view the artifact in the UI. In organizations where MLflow is shared across data science teams — the norm, not the exception — a compromised low-privilege contributor account is sufficient to hijack the session of an ML engineer or platform administrator who reviews model artifacts as part of routine operations. While no public exploit or CISA KEV listing exists for this CVE, the authenticated-access barrier is low in collaborative MLOps environments where many contributors hold upload rights. Upgrade beyond MLflow 3.10.1 once a patched release ships (track GitHub PR #21435), restrict artifact upload permissions to vetted principals, and enforce a Content Security Policy on all MLflow deployments as an immediate compensating control.

Sources: NVD ATLAS cert.pl

Risk Assessment

Medium-High within AI/ML environments. The authentication prerequisite lowers immediate blast radius, but MLflow instances are routinely shared across data science teams with broad contributor access, making the effective barrier to exploitation low in practice. Session hijacking via stored XSS can escalate to full MLflow admin access, enabling model registry manipulation or lateral movement into connected ML infrastructure. No CVSS score or EPSS data is available given the CVE's recency, but CWE-79 in a shared-access MLOps platform with insider-threat relevance warrants prompt remediation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.1K OpenSSF 5.0 605 dependents Pushed 2d ago 23% patched ~68d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Patch: Upgrade MLflow beyond 3.10.1 as soon as a fixed release is available — monitor GitHub PR #21435 for merge and release status.
Restrict permissions: Limit MLmodel artifact upload rights to trusted, vetted principals; review current contributor lists.
Network isolation: Ensure MLflow UI is not exposed to untrusted networks; require VPN or internal-only access.
Content Security Policy: Enforce a strict CSP header on the MLflow server to block exfiltration to external domains even if XSS fires.
Detection: Monitor web server logs for unexpected outbound requests from the MLflow process; alert on unusual session behavior for admin accounts.
Workaround: If immediate patching is not feasible, disable artifact UI access for untrusted users or restrict the feature until a fix is applied.

Classification

Code Execution Auth Bypass Data Extraction Framework Model AML.T0011.000 - Unsafe AI Artifacts AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

Section 6.2 - AI system design and development security

NIST AI RMF

GOVERN-1.7 - Processes and safeguards for AI risk accountability MANAGE-2.4 - Residual risks and vulnerability response

Technical Details

NVD Description

MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1

Exploitation Scenario

An attacker holding any MLflow contributor account crafts a malicious MLmodel YAML file embedding a JavaScript payload — for example, a script that exfiltrates the victim's session cookie to an attacker-controlled server via a fetch() call. They register this as a new model version attached to a legitimate-looking experiment. When an MLflow administrator performs a routine artifact review in the web UI, the payload executes silently in their browser. The attacker receives the admin session token, authenticates as admin, and can promote malicious model versions to production, exfiltrate all registered models and experiment data, or alter training run configurations for downstream pipeline compromise.