CVE-2026-33866 Overview
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access-control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This vulnerability is classified as CWE-862 (Missing Authorization).
Critical Impact
Unauthorized users can access sensitive machine learning model artifacts, potentially exposing proprietary models, training data insights, and intellectual property stored within MLflow experiments.
Affected Products
- MLflow through version 3.10.1
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-33866 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-33866
Vulnerability Analysis
This authorization bypass vulnerability exists in MLflow's AJAX endpoint responsible for downloading saved model artifacts. The core issue stems from the endpoint failing to verify whether the requesting user has appropriate permissions to access artifacts associated with a specific experiment. When a user makes a request to download model artifacts, the application processes the request without validating the user's authorization level against the target experiment's access control list.
The vulnerability allows any authenticated user to enumerate and download model artifacts from experiments they should not have access to. This represents a horizontal privilege escalation scenario where users can access resources belonging to other users or teams within the same MLflow deployment.
Root Cause
The root cause is classified as CWE-862 (Missing Authorization). The AJAX endpoint for artifact downloads lacks proper access-control validation logic. When processing download requests, the application fails to check whether the authenticated user has been granted explicit permission to access the specified experiment and its associated artifacts. This architectural oversight allows the endpoint to serve artifact data based solely on the validity of the artifact path, without considering the user's authorization scope.
Attack Vector
The attack can be executed over the network by any authenticated user. An attacker with valid credentials to the MLflow instance can craft direct requests to the artifact download endpoint, specifying experiment IDs or artifact paths for experiments they do not have permission to access. Since the endpoint does not enforce authorization checks, the server responds with the requested artifact data regardless of the user's actual permissions.
The attacker can potentially enumerate available experiments and systematically download artifacts by iterating through experiment identifiers. This could lead to the exposure of trained machine learning models, model weights, configuration files, and other sensitive artifacts stored within MLflow.
Detection Methods for CVE-2026-33866
Indicators of Compromise
- Unusual artifact download requests from users accessing experiments outside their authorized scope
- Spike in API requests to the artifact download AJAX endpoint from a single user account
- Access logs showing sequential experiment ID enumeration patterns
- Downloads of artifacts from experiments where the requesting user has no recorded legitimate access
Detection Strategies
- Implement audit logging for all artifact download requests, capturing the requesting user and target experiment ID
- Monitor for access patterns where users request artifacts from experiments they have never interacted with before
- Set up alerts for high-volume artifact download requests that deviate from normal user behavior
- Cross-reference artifact access logs with experiment permission assignments to identify unauthorized access attempts
Monitoring Recommendations
- Enable detailed logging on the MLflow tracking server to capture all API endpoint interactions
- Review access logs regularly for anomalous patterns in artifact retrieval requests
- Deploy network monitoring to detect enumeration behavior targeting the artifact download endpoint
- Integrate MLflow logs with SIEM solutions for centralized security monitoring
How to Mitigate CVE-2026-33866
Immediate Actions Required
- Review and apply the security patch referenced in the GitHub MLflow Pull Request
- Audit artifact access logs to identify any potential unauthorized access that may have already occurred
- Implement network-level access controls to restrict the artifact download endpoint to trusted networks if immediate patching is not possible
- Review user permissions and experiment access controls to ensure principle of least privilege
Patch Information
A fix has been developed and is available through the GitHub MLflow Pull Request #21708. Organizations should update to the patched version of MLflow as soon as it becomes available. Additional technical analysis is available from the CERT CVE-2026-33865 Analysis and the A Fine Blog Post which discusses attack vectors against MLflow artifacts.
Workarounds
- Restrict network access to the MLflow tracking server to trusted internal networks only
- Implement a reverse proxy with custom authorization logic to validate user permissions before forwarding artifact download requests
- Disable the affected AJAX artifact download endpoint if not required for operations until a patch can be applied
- Deploy additional authentication layers such as mutual TLS for API access
# Example: Restrict MLflow access using firewall rules (Linux iptables)
# Allow only trusted internal network to access MLflow (adjust IP range as needed)
iptables -A INPUT -p tcp --dport 5000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
