CVE-2026-2611 Overview
CVE-2026-2611 is a critical origin validation vulnerability in MLflow version 3.9.0. The MLflow Assistant feature exposes /ajax-api endpoints without proper origin validation. A remote attacker can host a malicious webpage that issues cross-origin requests to the Assistant running on a victim's loopback interface. This bypass allows the attacker to modify Assistant configuration and enable full access mode. Once full access is enabled, the attacker can execute arbitrary commands through the Claude Code sub-agent. The flaw is tracked as [CWE-346: Origin Validation Error] and is resolved in MLflow 3.10.0.
Critical Impact
Remote attackers can achieve arbitrary command execution on a victim's machine by luring the user to visit a malicious webpage while MLflow Assistant is running locally.
Affected Products
- MLflow version 3.9.0
- MLflow Assistant feature (/ajax-api endpoints)
- Deployments integrating the Claude Code sub-agent through MLflow Assistant
Discovery Timeline
- 2026-05-19 - CVE-2026-2611 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-2611
Vulnerability Analysis
MLflow 3.9.0 introduced the MLflow Assistant feature with a new /ajax-api path prefix intended for browser-side calls. The Assistant binds to the loopback interface so only the local user should interact with it. However, the HTTP layer fails to validate the Origin header on these endpoints. Any webpage loaded in the victim's browser can therefore issue authenticated cross-origin requests to http://localhost. The Assistant honors those requests, including configuration changes that elevate the Assistant from restricted to full access mode. With full access enabled, the Claude Code sub-agent will execute attacker-supplied commands on the host. User interaction is required because the victim must visit the attacker-controlled page, but no credentials, prompts, or authentication challenges block the request chain.
Root Cause
The root cause is improper origin validation [CWE-346] on the AJAX_API_PATH_PREFIX routes. The original CORS and host-validation logic in mlflow/server/security_utils.py covered /api/ but not the newly added /ajax-api/ prefix. Loopback-only binding was treated as a sufficient trust boundary, ignoring that browsers can reach loopback from any origin.
Attack Vector
An attacker hosts a webpage that issues fetch requests to http://127.0.0.1 Assistant endpoints. The first request flips the Assistant configuration to full access. Subsequent requests submit prompts that direct the Claude Code sub-agent to run arbitrary shell commands on the victim's workstation.
# Security patch in mlflow/server/security_utils.py
# Block CORS for ajax paths (#20832)
# Paths exempt from host validation
HEALTH_ENDPOINTS = ["/health", "/version"]
-# API path prefix for MLflow endpoints
+# API path prefixes for MLflow endpoints
API_PATH_PREFIX = "/api/"
+AJAX_API_PATH_PREFIX = "/ajax-api/"
# Test-only endpoints that should not have CORS blocking
TEST_ENDPOINTS = ["/test", "/api/test"]
Source: GitHub Commit 8f9c8a5
The companion change in mlflow/server/fastapi_security.py imports LOCALHOST_ORIGIN_PATTERNS and enforces origin checks on the new prefix, blocking cross-origin browser requests against the Assistant.
Detection Methods for CVE-2026-2611
Indicators of Compromise
- Inbound HTTP requests to http://127.0.0.1/ajax-api/ carrying an external Origin or Referer header.
- MLflow Assistant configuration changes that toggle the access mode from restricted to full access without local user action.
- Unexpected child processes spawned by the MLflow or Claude Code sub-agent process tree, particularly shells (bash, sh, cmd.exe, powershell.exe).
Detection Strategies
- Inspect MLflow server access logs for requests to /ajax-api/ paths where the Origin header is not a localhost pattern.
- Hunt for process-execution telemetry where the MLflow Python process or Claude Code sub-agent spawns command interpreters or network utilities.
- Correlate browser activity to localhost with subsequent process creation events on the same host within a short time window.
Monitoring Recommendations
- Enable verbose logging for MLflow Assistant endpoints and forward logs to a central SIEM for correlation.
- Alert on outbound network connections initiated by processes spawned from the MLflow Assistant process tree.
- Track installed MLflow versions across developer workstations and flag any host still running 3.9.0.
How to Mitigate CVE-2026-2611
Immediate Actions Required
- Upgrade MLflow to version 3.10.0 or later on every host running the Assistant feature.
- Stop the MLflow Assistant service on any workstation that cannot be upgraded immediately.
- Audit Assistant configuration files for unauthorized access-mode changes and revert them.
Patch Information
The fix is delivered in MLflow 3.10.0 via commit 8f9c8a5. The patch defines AJAX_API_PATH_PREFIX and applies the existing CORS and host-validation logic, including LOCALHOST_ORIGIN_PATTERNS, to the /ajax-api/ routes. Additional context is available in the Huntr Bounty Report.
Workarounds
- Block browser access to MLflow Assistant ports using a host firewall rule restricted to non-browser clients.
- Run the MLflow Assistant inside an isolated container or VM without network access to sensitive resources.
- Disable the Claude Code sub-agent integration until the MLflow upgrade is completed.
# Upgrade MLflow to the patched release
pip install --upgrade "mlflow>=3.10.0"
# Verify the installed version
python -c "import mlflow; print(mlflow.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
