CVE-2026-2393: A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The `_create_webhook()` fun
highvulnerability
security
Summary
MLflow versions before 3.9.0 contain an SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making requests to unintended targets) in the webhook creation function. An authenticated attacker can provide a malicious URL that causes MLflow's backend to send HTTP requests to internal services, cloud credential systems, or external servers, potentially exposing sensitive data or accessing restricted networks.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
May 11, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-2393
First tracked: May 12, 2026 at 02:12 AM
Classified by LLM (prompt v3) · confidence: 92%