CVE-2026-33865
published 2026-04-07CVE-2026-33865: MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated…
PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.22%
12.2th percentile
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | <= 3.10.1 | — |
| mlflow | mlflow | <= 3.10.1 | — |
| mlflow | mlflow | >= 0 < 3.11.1 | 3.11.1 |
| rhoai | odh-mlflow-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-th06-cpu-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-cuda130-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-rocm64-torch291-py312-rhel9 | — | — |
| rhoai | odh-training-cuda128-torch29-py312-rhel9 | — | — |
| rhoai | odh-workbench-codeserver-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-trustyai-cpu-py312-rhel9 | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
ghsa·2026-04-07
CVE-2026-33865 [MEDIUM] CWE-79 MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
OSV
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
osv·2026-04-07
CVE-2026-33865 [MEDIUM] MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
Red Hat
MLflow: MLflow: Stored Cross-Site Scripting (XSS) via unsafe parsing of MLmodel artifacts
vendor_redhat·2026-04-07·CVSS 5.1
CVE-2026-33865 [MEDIUM] CWE-502 MLflow: MLflow: Stored Cross-Site Scripting (XSS) via unsafe parsing of MLmodel artifacts
MLflow: MLflow: Stored Cross-Site Scripting (XSS) via unsafe parsing of MLmodel artifacts
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
A flaw was found in MLflow, a platform for managing the machine learning lifecycle. This Stored Cross-Site Scripting (XSS) vulnerability, a type of injection where malicious scripts are injected into trusted websites, is caused by the unsafe parsing of YAML-based MLmodel artifacts
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33865 MLflow: MLflow: Stored Cross-Site Scripting (XSS) via unsafe parsing of MLmodel artifacts
bugzilla·2026-04-07·CVSS 5.1
CVE-2026-33865 [MEDIUM] CVE-2026-33865 MLflow: MLflow: Stored Cross-Site Scripting (XSS) via unsafe parsing of MLmodel artifacts
CVE-2026-33865 MLflow: MLflow: Stored Cross-Site Scripting (XSS) via unsafe parsing of MLmodel artifacts
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
Wiz
CVE-2026-33865 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33865 [CRITICAL] CVE-2026-33865 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33865 :
MLflow vulnerability analysis and mitigation
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
Source : NVD
## 5.1
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2026-33866 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33866 [CRITICAL] CVE-2026-33866 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33866 :
MLflow vulnerability analysis and mitigation
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity MEDIUM
2026-04-07
Published