CVE-2026-33866: MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint

April 7, 2026 (updated April 27, 2026)

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.

This issue affects MLflow version through 3.10.1

References

afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors
cert.pl/en/posts/2026/04/CVE-2026-33865
github.com/advisories/GHSA-46r5-x6jq-v8g6
github.com/mlflow/mlflow/commit/005b959cacda05d1423356cfcbd9ebeda8ff96a7
github.com/mlflow/mlflow/pull/21708
nvd.nist.gov/vuln/detail/CVE-2026-33866

Code Behaviors & Features

Detect and mitigate CVE-2026-33866 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →