CVE-2026-2611: In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints.
criticalvulnerabilityLLM-Specific
security
Summary
MLflow version 3.9.0 has a vulnerability in its Assistant feature where /ajax-api endpoints don't properly validate the origin (the source website making a request). This allows an attacker on a malicious webpage to send cross-origin requests (requests from a different domain) to trick the MLflow Assistant running on a victim's computer, bypass security restrictions meant to only allow local access, and execute arbitrary commands (run any code they choose) through the Claude Code sub-agent.
Solution / Mitigation
Update to MLflow version 3.10.0, where this issue is resolved.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
May 19, 2026
Classification
Attack Type
RAG Poisoning
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Taxonomy References
CWE (Weakness Type)
Affected Vendors
Anthropic
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-2611
First tracked: May 19, 2026 at 08:08 AM
Classified by LLM (prompt v3) · confidence: 92%