MLflow SSRF Vulnerability (CVE-2026-2393) Exposes Internal Services

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-918
MLflow SSRF Vulnerability (CVE-2026-2393) Exposes Internal Services

A critical Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2026-2393, has been identified in MLflow versions prior to 3.9.0. According to the National Vulnerability Database, the _create_webhook() function in mlflow/server/handlers.py fails to validate the user-controlled url parameter. This flaw allows an authenticated attacker to manipulate the _send_webhook_request() function in mlflow/webhooks/delivery.py into sending HTTP POST requests to arbitrary internal or external endpoints.

This lack of sanitization, URL scheme filtering, or allowlist validation on webhook URLs creates a direct path for exploitation. The National Vulnerability Database highlights that attackers can leverage this to force the MLflow backend to interact with internal services, query cloud metadata endpoints, or exfiltrate data to arbitrary external servers. This vulnerability carries a CVSS score of 7.1 (HIGH), signaling its severe potential for impact.

For defenders, this means a direct path to cloud credential theft and internal network access. The attacker’s calculus is straightforward: if they can authenticate to MLflow, they can pivot through the backend to reach systems that should be isolated. Patching is non-negotiable, but understanding the blast radius is key. This isn’t just about MLflow; it’s about what MLflow can reach.

What This Means For You

  • If your organization uses MLflow, you need to immediately identify all instances running versions prior to 3.9.0. Patching is the priority. Beyond that, audit your MLflow deployments for excessive permissions and ensure network segmentation limits what the MLflow backend can reach internally and in your cloud environment. This SSRF can be a critical pivot for internal reconnaissance and data exfiltration.

Related ATT&CK Techniques

T1571 Non-Standard Port Command and Control T1071.001 Web Protocols Command and Control T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

MLflow SSRF to Internal Service Access - CVE-2026-2393

Sigma YAML — free preview 
title: MLflow SSRF to Internal Service Access - CVE-2026-2393
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
  Detects the specific MLflow API endpoint used in the SSRF vulnerability (CVE-2026-2393) where the 'url' parameter is passed without proper validation, allowing an attacker to craft requests to internal services or cloud metadata endpoints.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-2393/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/api/2.0/mlflow/experiments/create'
      cs-uri-query|contains:
          - 'url='
      cs-method:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-2393 SSRF MLflow versions prior to 3.9.0
CVE-2026-2393 SSRF Vulnerable function: _create_webhook() in mlflow/server/handlers.py
CVE-2026-2393 SSRF Vulnerable function: _send_webhook_request() in mlflow/webhooks/delivery.py
CVE-2026-2393 SSRF User-controlled parameter: url in _create_webhook()

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability

CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....

vulnerabilityCVEhigh-severityauthentication-bypasscwe-287cwe-288
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery

CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py...

vulnerabilityCVEmedium-severitycwe-400cwe-404
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 2 Sigma