CVE-2026-2611: MLflow Assistant Critical RCE via Origin Validation Bypass
A critical vulnerability, CVE-2026-2611, has been identified in MLflow version 3.9.0, specifically impacting the MLflow Assistant feature. As reported by the National Vulnerability Database, the issue stems from improper origin validation within the /ajax-api endpoints. This flaw enables a remote attacker to bypass the intended loopback-only restriction, leveraging cross-origin requests from a malicious webpage to interact with the Assistant on a victim’s local machine.
The attacker’s calculus here is straightforward: gain control over the Assistant’s configuration. Once achieved, this enables the execution of arbitrary commands through the Claude Code sub-agent, leading to a full compromise. The National Vulnerability Database assigns this a CVSS score of 9.6 (CRITICAL), underscoring the severe risk of remote code execution (RCE) without complex prerequisites, only requiring user interaction (UI:R).
This isn’t a theoretical threat. It’s a direct path to RCE, making it a prime target for initial access. Defenders need to understand that this bypass allows remote interaction with a local service that was never meant to be exposed. The fix is available in MLflow version 3.10.0, addressing the fundamental origin validation flaw.
What This Means For You
- If your organization utilizes MLflow Assistant, specifically version 3.9.0, you are exposed to critical remote code execution. Immediately upgrade to MLflow version 3.10.0 or later. Audit any MLflow deployments for suspicious activity or unauthorized configuration changes, particularly those involving the Claude Code sub-agent.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-2611: MLflow Assistant RCE via Origin Bypass
title: CVE-2026-2611: MLflow Assistant RCE via Origin Bypass
id: scw-2026-05-19-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-2611 by targeting the MLflow Assistant's /ajax-api endpoints with cross-origin requests. This rule looks for POST requests to these specific paths originating from a local MLflow UI, indicating a potential bypass of origin validation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-2611/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/ajax-api/'
cs-method:
- 'POST'
referer|contains:
- 'http://127.0.0.1:5000'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-2611 | RCE | MLflow Assistant feature in MLflow versions 3.9.0 |
| CVE-2026-2611 | Auth Bypass | Improper origin validation in /ajax-api endpoints of MLflow Assistant |
| CVE-2026-2611 | Code Injection | Execution of arbitrary commands via Claude Code sub-agent in MLflow Assistant |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 19, 2026 at 13:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...