CVE-2026-33866: MLflow: auth bypass exposes model artifacts across experiments

UNKNOWN

Published April 7, 2026

CISO Take

MLflow contains a missing authorization check (CWE-862) on the AJAX endpoint used to download saved model artifacts, allowing any user with basic MLflow access to retrieve artifacts from experiments they are explicitly not permitted to view. For organizations running multi-tenant MLflow deployments — common in enterprises with multiple data science teams — this means proprietary trained models, hyperparameters, and associated files can be exfiltrated by any authenticated user regardless of experiment-level permissions. While no CVSS score has been assigned yet and no public exploits exist, CWE-862 authorization bypasses are inherently trivial to exploit once the endpoint is known — the attacker simply queries the endpoint without the absent permission gate. Upgrade beyond MLflow 3.10.1 immediately using the fix from GitHub PR #21708, and in the interim restrict MLflow access to authorized networks and audit artifact download logs for anomalous cross-experiment access.

Sources: NVD ATLAS GitHub Advisory

Risk Assessment

Medium-High risk for any multi-user or multi-team MLflow deployment. The vulnerability (CWE-862, Missing Authorization) requires no technical sophistication — an attacker with any level of MLflow access simply calls the AJAX artifact download endpoint directly, bypassing the absent permission check. The primary constraints are having some authenticated access to the MLflow instance and knowing target artifact paths, both of which are attainable through normal MLflow usage. In enterprise environments where MLflow is shared across teams with experiment-level segregation, this creates a significant insider threat and lateral-access vector for proprietary model theft.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.1K OpenSSF 5.0 605 dependents Pushed 2d ago 23% patched ~68d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Upgrade MLflow to a patched version beyond 3.10.1 that includes the fix from GitHub PR #21708.
Until patched, restrict network access to the MLflow UI and API to authorized personnel only via VPN or internal network segmentation.
Audit artifact download endpoint logs for cross-experiment access — flag requests where the requesting user's experiment membership does not match the artifact's parent experiment.
Review and tighten the list of users with any MLflow access, as all authenticated users are potentially affected by this bypass.
Consider temporarily enforcing storage-layer access controls (e.g., S3 bucket policies or filesystem ACLs) on artifact storage backends as a defense-in-depth measure.

Classification

Auth Bypass Data Extraction Framework Model AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0048.004 - AI Intellectual Property Theft AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1 - Policies for AI system use

NIST AI RMF

GOVERN 6.1 - Organizational teams document AI risk policies

Technical Details

NVD Description

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1

Exploitation Scenario

A contractor or employee with limited MLflow access — restricted to a single low-sensitivity experiment — uses MLflow's standard experiment listing to enumerate run IDs and artifact paths from other teams' restricted experiments. They then directly call the AJAX artifact download endpoint with those artifact paths. Since the endpoint skips authorization validation entirely, the attacker successfully downloads model weights, configuration files, or training artifacts from experiments they should not have access to. This could be used to exfiltrate a competitor-sensitive model, extract data about confidential training datasets, or steal IP before leaving the organization.