{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33866", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-03-24T13:13:32.905Z", "datePublished": "2026-04-07T12:57:44.380Z", "dateUpdated": "2026-04-14T15:12:44.168Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/", "defaultStatus": "unaffected", "packageName": "mlflow", "product": "Mlflow", "repo": "https://github.com/mlflow/", "vendor": "Mlflow", "versions": [{"lessThanOrEqual": "3.10.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "S\u0142awomir Zakrzewski (AFINE)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access\u2011control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.</div> <br><span style=\"background-color: rgba(214, 214, 214, 0.1);\"><span style=\"background-color: rgba(214, 214, 214, 0.1);\">This issue affects MLflow version through 3.10.1</span></span><br>"}], "value": "MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access\u2011control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.\n\n \nThis issue affects MLflow version through 3.10.1"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115: Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-09T13:30:36.155Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/mlflow/mlflow/pull/21708"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/"}, {"tags": ["exploit", "technical-description"], "url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors"}], "source": {"discovery": "EXTERNAL"}, "title": "Authorization Bypass in MLflow AJAX Endpoint", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:12:33.985809Z", "id": "CVE-2026-33866", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:12:44.168Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33866", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:12:33.985809Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:05:41.111Z"}}], "cna": {"title": "Authorization Bypass in MLflow AJAX Endpoint", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "S\u0142awomir Zakrzewski (AFINE)"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115: Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/mlflow/", "vendor": "Mlflow", "product": "Mlflow", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.10.1"}], "packageName": "mlflow", "collectionURL": "https://github.com/", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/mlflow/mlflow/pull/21708", "tags": ["patch"]}, {"url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/", "tags": ["third-party-advisory"]}, {"url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors", "tags": ["exploit", "technical-description"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access\u2011control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.\n\n \nThis issue affects MLflow version through 3.10.1", "supportingMedia": [{"type": "text/html", "value": "<div>MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access\u2011control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.</div> <br><span style=\"background-color: rgba(214, 214, 214, 0.1);\"><span style=\"background-color: rgba(214, 214, 214, 0.1);\">This issue affects MLflow version through 3.10.1</span></span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-09T13:30:36.155Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33866", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:12:44.168Z", "dateReserved": "2026-03-24T13:13:32.905Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-04-07T12:57:44.380Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1C49CD5-5BB0-422B-9A71-5A6832DF6713", "versionEndIncluding": "3.10.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access\u2011control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.\n\n \nThis issue affects MLflow version through 3.10.1"}], "id": "CVE-2026-33866", "lastModified": "2026-04-20T18:45:16.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-04-07T13:16:47.000", "references": [{"source": "cvd@cert.pl", "tags": ["Exploit", "Third Party Advisory"], "url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors"}, {"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/"}, {"source": "cvd@cert.pl", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/mlflow/mlflow/pull/21708"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cvd@cert.pl", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.10.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mlflow", "source": "cna", "vendor": "Mlflow"}, "product": "mlflow", "vendor": "mlflow"}], "analysis": {"en": {"generated_at": "2026-04-07T19:54:09.486085+00:00", "value": {"mitigation_remediation": ["Upgrade to a version newer than 3.10.1 that contains the fix for the missing authorization check.", "Verify that the Ajax download endpoint no longer returns artifacts to users without proper experiment permissions.", "Implement least\u2011privilege user roles and regularly audit permissions to prevent unauthorized access."], "summary": {"action": "Patch", "impact": "Unauthorized access to model artifacts via missing access control"}, "threat_synthesis": {"affected_systems": "MLflow releases up through version\u202f3.10.1 are affected. All builds of the MLflow product distributed by the Mlflow vendor fall into this range.", "description_and_impact": "The vulnerability enables a user who lacks permission to an experiment to retrieve model artifacts through an unsecured AJAX endpoint. Because the application omits required authorization checks, attackers can access confidential data that should be protected, aligning with CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, and the issue is not listed in the CISA KEV catalogue. No EPSS score is reported. An attacker can exploit the flaw by issuing an HTTP request to the AJAX endpoint while authenticated with any user account that does not have experiment\u2011level permissions. The exploit requires no special privileges beyond network access to the MLflow server, making it likely to be performed from an internal network or any system that can reach the endpoint."}}}}, "created": "2026-04-08T19:37:58.350186+00:00", "updated": "2026-04-08T19:49:31.192304+00:00", "vendors": ["mlflow", "mlflow$PRODUCT$mlflow"]}