Technical description
MLflow version 3.9.0 introduced a cross-origin request vulnerability in the MLflow Assistant feature's /ajax-api endpoints. Improper origin validation allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. Successful exploitation grants the attacker the ability to execute arbitrary commands, access local files, and manipulate MLflow projects through the victim's authenticated session.
Attack vector
An attacker hosts a malicious webpage containing JavaScript that sends crafted requests to http://localhost:5000/ajax-api (the default MLflow UI port). When a victim with MLflow Assistant running visits the attacker's page, the browser executes cross-origin requests that the MLflow server accepts due to missing origin checks. The attacker can then invoke Assistant commands, run code cells, query model metadata, and access files accessible to the MLflow process.
Affected systems
MLflow 3.9.0 installations with the MLflow Assistant feature enabled. The vulnerability affects data scientists and ML engineers running MLflow locally during model development, particularly those using the Assistant's AI chat interface for code generation and experiment management.
Mitigation
MLflow has not yet released a patched version; CVE-2026-2611 was disclosed on the NVD on May 19, 2026, without an accompanying fix. Interim mitigations: (1) disable the MLflow Assistant feature if not required; (2) restrict MLflow UI access to localhost only via firewall rules; (3) use a browser with strict CORS enforcement; (4) avoid browsing untrusted websites while MLflow Assistant is running. Monitor the MLflow GitHub repository for security advisories and upgrade immediately once a patch is available.