CVE-2026-33866
published 2026-04-07CVE-2026-33866: MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a…
PriorityP425medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.36%
28.0th percentile
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | <= 3.10.1 | — |
| mlflow | mlflow | <= 3.10.1 | — |
| mlflow | mlflow | 0 – 3.10.1 | — |
| rhoai | odh-mlflow-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-th06-cpu-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-cuda130-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-rocm64-torch291-py312-rhel9 | — | — |
| rhoai | odh-training-cuda128-torch29-py312-rhel9 | — | — |
| rhoai | odh-workbench-codeserver-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-trustyai-cpu-py312-rhel9 | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
MLflow: MLflow: Information disclosure via authorization bypass in AJAX endpoint
vendor_redhat·2026-04-07·CVSS 5.3
CVE-2026-33866 [MEDIUM] CWE-425 MLflow: MLflow: Information disclosure via authorization bypass in AJAX endpoint
MLflow: MLflow: Information disclosure via authorization bypass in AJAX endpoint
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
A flaw was found in MLflow. A user without proper permissions to an experiment can exploit an authorization bypass in the AJAX endpoint, which is used for downloading saved model artifacts. This missing access-control validation allows the unauthorized user to directly query the endpoint and retrieve model artifacts they are not authorized to access, leading to
OSV
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint
osv·2026-04-07
CVE-2026-33866 [MEDIUM] MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
GHSA
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint
ghsa·2026-04-07
CVE-2026-33866 [MEDIUM] CWE-862 MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33866 MLflow: MLflow: Information disclosure via authorization bypass in AJAX endpoint
bugzilla·2026-04-07·CVSS 5.3
CVE-2026-33866 [MEDIUM] CVE-2026-33866 MLflow: MLflow: Information disclosure via authorization bypass in AJAX endpoint
CVE-2026-33866 MLflow: MLflow: Information disclosure via authorization bypass in AJAX endpoint
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
Wiz
CVE-2026-33865 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33865 [CRITICAL] CVE-2026-33865 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33865 :
MLflow vulnerability analysis and mitigation
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
Source : NVD
## 5.1
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2026-33866 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33866 [CRITICAL] CVE-2026-33866 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33866 :
MLflow vulnerability analysis and mitigation
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity MEDIUM
2026-04-07
Published