CVE-2026-2393
published 2026-05-11CVE-2026-2393: A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py`…
PriorityP346high7.1CVSS 3.0
AVNACLPRLUINSUCHILAN
EPSS
0.29%
20.4th percentile
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | < 3.9.0 | 3.9.0 |
| mlflow | mlflow_mlflow | >= 0 < 3.9.0 | 3.9.0 |
| mlflow | mlflow_mlflow | >= unspecified < 3.10.0 | 3.10.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MLflow Has a Server-Side Request Forgery (SSRF) Vulnerability
ghsa·2026-05-11
CVE-2026-2393 [HIGH] CWE-918 MLflow Has a Server-Side Request Forgery (SSRF) Vulnerability
MLflow Has a Server-Side Request Forgery (SSRF) Vulnerability
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.
GHSA
GHSA-65h7-c7c4-mghx: A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3
ghsa_unreviewed·2026-05-11
CVE-2026-2393 [HIGH] CWE-918 GHSA-65h7-c7c4-mghx: A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.
VulDB
MLflow up to 3.9.x HTTP POST Request handlers.py _create_webhook url server-side request forgery
vuldb·2026-05-11·CVSS 7.1
CVE-2026-2393 [HIGH] MLflow up to 3.9.x HTTP POST Request handlers.py _create_webhook url server-side request forgery
A vulnerability was found in MLflow up to 3.9.x. It has been rated as critical. Impacted is the function _create_webhook of the file mlflow/server/handlers.py of the component HTTP POST Request Handler. This manipulation of the argument url causes server-side request forgery.
The identification of this vulnerability is CVE-2026-2393. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-11
Published