Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-33865, CVE-2026-33866) found in Mlflow software.
Analysis Summary
# Vulnerability: Stored XSS and Authorization Bypass in Mlflow
## CVE Details
- **CVE ID:** CVE-2026-33865, CVE-2026-33866
- **CVSS Score:** Not explicitly provided in the source (Typically High for these classes)
- **CWE:**
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-862: Missing Authorization
## Affected Systems
- **Products:** Mlflow
- **Versions:** All versions through 3.10.1
- **Configurations:** Systems utilizing the Mlflow web interface and AJAX endpoints for artifact management.
## Vulnerability Description
Mlflow is impacted by two distinct security flaws:
1. **CVE-2026-33865 (Stored XSS):** The vulnerability stems from unsafe parsing of YAML-based `MLmodel` artifacts within the Mlflow web UI. When a user views a maliciously crafted artifact, the UI executes the embedded payload.
2. **CVE-2026-33866 (Authorization Bypass):** The AJAX endpoint responsible for downloading saved model artifacts fails to perform adequate access-control validation. This allows an authenticated user to bypass intended restrictions and download artifacts from experiments they are not authorized to access.
## Exploitation
- **Status:** Reported via Coordinated Vulnerability Disclosure (CVD); PoC details are implied via the technical description.
- **Complexity:** Low to Medium
- **Attack Vector:** Network
- **CVE-2026-33865:** Requires the attacker to have permissions to upload an artifact (Authenticated).
- **CVE-2026-33866:** Requires a direct query to the vulnerable AJAX endpoint (Authenticated).
## Impact
- **Confidentiality:** High (Session hijacking via XSS; unauthorized access to proprietary model artifacts).
- **Integrity:** Medium/High (Performing operations on behalf of other users via XSS).
- **Availability:** Low (Direct service disruption is not the primary focus).
## Remediation
### Patches
- Users are advised to upgrade Mlflow to a version newer than **3.10.1**. (Note: Users should check the official Mlflow repository/PyPI for the latest release following these disclosures).
### Workarounds
- Limit the ability of untrusted users to upload `MLmodel` artifacts.
- Implement network-level access controls or additional WAF rules to monitor and restrict access to artifact-download AJAX endpoints until patches are applied.
## Detection
- **Indicators of Compromise:**
- Presence of suspicious YAML/MLmodel files containing `<script>` tags or unusual JavaScript event handlers.
- Unusual access patterns in web logs where users access artifact IDs associated with experiments they do not own.
- **Detection methods and tools:** Audit Mlflow server logs for unauthorized responses from AJAX artifact endpoints and scan uploaded artifacts for XSS payloads.
## References
- CERT Polska Advisory: [https://cert[.]pl/en/posts/2026/04/vulnerabilities-in-mlflow/](https://cert[.]pl/en/posts/2026/04/vulnerabilities-in-mlflow/)
- CVE-2026-33865: [https://www[.]cve[.]org/CVERecord?id=CVE-2026-33865](https://www[.]cve[.]org/CVERecord?id=CVE-2026-33865)
- CVE-2026-33866: [https://www[.]cve[.]org/CVERecord?id=CVE-2026-33866](https://www[.]cve[.]org/CVERecord?id=CVE-2026-33866)