CVE-2026-2611
Published: 19 May 2026
Summary
CVE-2026-2611 is a critical-severity Origin Validation Error (CWE-346) vulnerability in Lfprojects Mlflow. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30853
Vulnerability details
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's…
more
local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, mlflow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper origin validation (CWE-346) on local MLflow /ajax-api endpoints directly enables drive-by compromise from a malicious webpage, bypassing loopback restrictions to achieve RCE via arbitrary command execution in the sub-agent.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enforces verification of the source of a communication channel by requiring identification and authentication of services first.
Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.
Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.
Mandates origin validation so that only legitimate endpoints can continue the authenticated session.
Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.