MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface

GHSA-fh64-r2vc-xvhr · BIT-mlflow-2026-33865 · CVE-2026-33865 · PYSEC-2026-93

Published Apr 7, 2026 · Modified Jun 6, 2026

Description

MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.

This issue affects MLflow version through 3.10.1

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33865
WEB https://github.com/mlflow/mlflow/pull/21435
WEB https://github.com/mlflow/mlflow/commit/aca4dd0ec88a12f7655155c224371280e9b45dda
WEB https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors
WEB https://cert.pl/en/posts/2026/04/CVE-2026-33865
PACKAGE https://github.com/mlflow/mlflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2026-93.yaml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes