CVE-2026-2611 mlflow CVE debrief

Who should care

MLflow users running version 3.9.0, especially anyone using the MLflow Assistant feature on local workstations. Security teams should prioritize environments where users may browse untrusted websites while the Assistant is active locally.

Technical summary

The reported flaw is an origin-validation failure affecting MLflow Assistant’s /ajax-api endpoints. Because requests from a malicious webpage may be accepted despite the intended loopback-only boundary, a remote attacker can trigger cross-origin interactions against the locally running Assistant process. The described downstream impact is configuration modification that can enable broader access and, in turn, arbitrary command execution via the Claude Code sub-agent. The CVE record maps the weakness to CWE-346 and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Defensive priority

Immediate / Critical

Recommended defensive actions

• Upgrade MLflow to version 3.10.0 or later.
• Treat MLflow Assistant on local machines as exposed to cross-origin abuse until patched.
• Review whether users can access untrusted websites while the Assistant is running and reduce that exposure where possible.
• Monitor local MLflow Assistant configuration changes for unexpected updates.
• Validate that any deployment guidance or hardening intended to enforce loopback-only access remains effective after remediation.

Evidence notes

This debrief is based only on the supplied NVD record, the linked upstream GitHub commit reference, and the Huntr bounty reference. The source data states CVE-2026-2611 was published and modified on 2026-05-19, with MLflow 3.9.0 affected and 3.10.0 containing the fix. NVD currently lists the vulnerability status as Undergoing Analysis. Vendor attribution in the supplied corpus is low confidence and should be treated cautiously.

Official resources