CVE-2026-2393
7.1 HIGHA Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0
Published: 2026-05-11 · Last updated: 2026-05-27
Severity and scoring
- CVSS
- 7.1 HIGH
- Vector
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
- CWE
- CWE-918
Affected products
| Vendor | Product |
|---|---|
| lfprojects | mlflow |
Description
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation, and the `_send_webhook_request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-2393
- [Patch]https://github.com/mlflow/mlflow/commit/64aa0ab7207f9c649b59ba1a5f40d82196817389
- [Exploit reference]https://huntr.com/bounties/04ef100d-06b5-4a70-95b1-b7be23aa8150
- [Exploit reference]https://huntr.com/bounties/04ef100d-06b5-4a70-95b1-b7be23aa8150
Related CVEs
Same vendor
- CVE-2026-10803 — A flaw has been found in MLflow up to 3.10.0 (3.6 LOW)
- CVE-2026-4035 — A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which... (7.7 HIGH)
- CVE-2026-3198 — MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints (6.5 MEDIUM)
- CVE-2026-2651 — A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifac... (9.0 CRITICAL)
- CVE-2026-2734 — In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack... (6.5 MEDIUM)
Same CWE
- CVE-2026-53859 — OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-... (6.5 MEDIUM)
- CVE-2026-47684 — Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing (7.7 HIGH)
- CVE-2025-60175 — Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions (4.4 MEDIUM)
- CVE-2026-50888 — An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allow... (8.1 HIGH)
- CVE-2026-50887 — A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan inte... (9.1 CRITICAL)