QwikSec

Security Database

CVE

CWE

Training

CVE-2026-33866

Published: Apr 7, 2026

Modified: Apr 14, 2026

PUBLISHED

Description

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1

Vendor	Product	Versions
Mlflow	Mlflow	affected `0 - <= 3.10.1`

Weaknesses (CWE)

References

https://github.com/mlflow/mlflow/pull/21708

patch

https://cert.pl/en/posts/2026/04/CVE-2026-33865/

third-party-advisory

https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors

exploit

technical-description

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.