CVE-2026-2611
MLflow · MLflow
A cross-origin validation error in the MLflow Assistant allows remote attackers to execute arbitrary commands on a user's local machine via malicious web pages.
Executive summary
A critical origin validation vulnerability in the MLflow Assistant allows remote attackers to bypass security controls and execute arbitrary commands on local systems, necessitating an immediate upgrade.
Vulnerability
This vulnerability (CWE-346) stems from improper origin validation within the MLflow Assistant’s /ajax-api endpoints. By exploiting cross-origin requests, a remote attacker can trick a user's browser into interacting with the local MLflow instance, modifying configuration settings to enable full access and executing commands via the Claude Code sub-agent.
Business impact
The CVSS score of 9.6 highlights a critical risk to local workstations and integrated development environments. A successful exploit could lead to the theft of sensitive API keys, source code, or internal data, as well as the execution of arbitrary commands in the context of the user’s machine. This is particularly dangerous for developers and data scientists who utilize MLflow for local model development.
Remediation
Immediate Action: Upgrade MLflow to version 3.10.0 or later immediately to resolve the origin validation errors.
Proactive Monitoring: Review browser logs and network traffic for suspicious cross-origin requests directed toward local MLflow instances.
Compensating Controls: Use browser extensions or firewall policies to restrict cross-origin requests and disable the MLflow Assistant feature if it is not required for current workflows.
Exploitation status
Public Exploit Available: Yes (Proof-of-Concept)
Analyst recommendation
Organizations using MLflow for local development must upgrade to version 3.10.0 immediately. The presence of a proof-of-concept exploit significantly increases the risk of successful targeting; applying the update is the only effective way to mitigate the risk of arbitrary code execution.