CVE-2026-33865 Overview
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) affects MLflow through version 3.10.1. The flaw exists in how the MLflow web interface processes and renders YAML content from MLmodel artifact files without proper sanitization.
Critical Impact
Authenticated attackers can inject malicious scripts via MLmodel artifacts, enabling session hijacking and unauthorized actions when other users view the compromised artifacts in the MLflow UI.
Affected Products
- MLflow through version 3.10.1
- MLflow Web UI artifact rendering components
- MLflow YAML parsing functionality for MLmodel files
Discovery Timeline
- April 7, 2026 - CVE-2026-33865 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33865
Vulnerability Analysis
This Stored XSS vulnerability resides in MLflow's web interface artifact rendering functionality. When users upload MLmodel files (YAML-formatted metadata files used to describe ML models), the application fails to properly sanitize the YAML content before rendering it in the browser. This allows authenticated users to craft malicious MLmodel files containing JavaScript payloads that persist in the system and execute whenever another user views the artifact through the MLflow UI.
The attack requires authentication to upload the malicious artifact but affects any user who subsequently views the compromised model artifact. This makes it particularly dangerous in collaborative machine learning environments where multiple data scientists and engineers access shared model registries.
Root Cause
The root cause is improper input validation and output encoding when processing YAML-based MLmodel artifacts. The MLflow web interface parses and displays MLmodel file contents without sanitizing potentially dangerous HTML and JavaScript elements embedded within YAML field values. This violates secure coding practices for web applications where user-controlled input should never be rendered without proper encoding.
Attack Vector
The attack is network-based and requires low privileges (authentication) along with user interaction (victim must view the artifact). An attacker exploits this vulnerability by:
- Authenticating to the MLflow instance
- Creating or modifying an MLmodel YAML file to include malicious JavaScript within field values
- Uploading the poisoned MLmodel artifact to a model or experiment
- Waiting for another user to view the artifact in the MLflow web UI
- The malicious script executes in the victim's browser context, enabling session hijacking, cookie theft, or performing actions as the victim
The vulnerability is particularly concerning in multi-tenant MLflow deployments or organizations where multiple teams share model artifacts. Technical details about exploitation techniques can be found in the Afine Blog Post on MLflow Attacks.
Detection Methods for CVE-2026-33865
Indicators of Compromise
- Unusual JavaScript or HTML tags present within MLmodel YAML artifact files
- Unexpected <script> elements, event handlers (onerror, onload), or encoded payloads in model metadata
- Reports from users about unexpected browser behavior when viewing model artifacts
- Anomalous authentication sessions or unauthorized API calls following artifact views
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Monitor artifact uploads for suspicious content patterns including HTML tags and JavaScript keywords
- Deploy web application firewalls (WAF) with XSS detection rules for the MLflow web interface
- Audit MLmodel files in model registries for unexpected or malformed YAML content
Monitoring Recommendations
- Enable detailed logging for artifact upload and view operations in MLflow
- Monitor browser console errors and CSP violation reports for evidence of blocked XSS attempts
- Track session anomalies such as sudden privilege changes or unusual API activity following artifact views
- Implement file integrity monitoring on stored MLmodel artifacts to detect post-upload modifications
How to Mitigate CVE-2026-33865
Immediate Actions Required
- Update MLflow to a patched version when available (versions after 3.10.1)
- Review existing MLmodel artifacts in your model registry for suspicious content
- Implement Content Security Policy headers to mitigate XSS impact
- Restrict artifact upload permissions to trusted users where possible
Patch Information
A fix for this vulnerability has been developed and is available via the GitHub Pull Request for MLflow. Organizations should update to the patched version of MLflow as soon as it becomes available. Additional technical details and security guidance are provided by the CERT Security Post CVE-2026-33865.
Workarounds
- Deploy a Content Security Policy (CSP) with script-src 'self' to prevent inline script execution
- Implement server-side sanitization of YAML content before rendering in the UI
- Restrict artifact upload capabilities to administrators and verified users only
- Consider deploying a reverse proxy with XSS filtering capabilities in front of MLflow
# Example: Configure CSP headers in nginx reverse proxy for MLflow
# Add to nginx server block configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
