MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint

GHSA-46r5-x6jq-v8g6 · BIT-mlflow-2026-33866 · CVE-2026-33866 · PYSEC-2026-94

Published Apr 7, 2026 · Modified Jun 6, 2026

Description

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.

This issue affects MLflow version through 3.10.1

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33866
WEB https://github.com/mlflow/mlflow/pull/21708
WEB https://github.com/mlflow/mlflow/commit/005b959cacda05d1423356cfcbd9ebeda8ff96a7
WEB https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors
WEB https://cert.pl/en/posts/2026/04/CVE-2026-33865
PACKAGE https://github.com/mlflow/mlflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2026-94.yaml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes