VIR Vulnerability Intelligence Relay

CVE-2026-2393

high
Published 2026-05-11 · Modified 2026-05-18
CVSS v3
7.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVSS v2
VIR risk
7.1

Description

MLflow Has a Server-Side Request Forgery (SSRF) Vulnerability

Predictions

Exploit likelihood
80%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@huntr.dev — https://github.com/mlflow/mlflow/commit/64aa0ab7207f9c649b59ba1a5f40d82196817389

Package impact
EcosystemPackageVulnerableFixed
python PyPImlflow<3.9.03.9.0
PIPmlflow< 3.9.03.9.0

Application impact
VendorProductVersionsFixed
lfprojectsmlflow{"endExcluding":"3.9.0"}3.9.0

References

CWEs

CWE-918

Verify integrity in audit chain (admin only). AS-IS.