CVE-2026-2393
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The _create_webhook() function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the _send_webhook_request() function in mlflow/webhooks/delivery.py sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mlflow | mlflow/mlflow | unspecified < 3.10.0 | affected |
Weaknesses
- CWE-918: CWE-918 Server-Side Request Forgery (SSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://huntr.com/bounties/04ef100d-06b5-4a70-95b1-b7be23aa8150
- https://github.com/mlflow/mlflow/commit/64aa0ab7207f9c649b59ba1a5f40d82196817389
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.