PyPI: mlflow
CVE-2026-33865
Safety vulnerability ID: SFTY-20260407-39486
Safety legacy ID: pyup.io-93804
Affected versions of the mlflow package are vulnerable to Stored Cross-Site Scripting due to unsafe parsing of YAML-based MLmodel artifacts when rendered in the web interface. The web UI processes attacker-supplied fields from uploaded ML model files without adequate output sanitization, allowing embedded payloads to be emitted into the rendered artifact view and executed in the browser of any user who opens the artifact. An authenticated attacker who uploads a malicious ML model file can trigger script execution in the context of a victim's session, enabling session hijacking or actions performed on the victim's behalf.
Overview
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
Advisory
Affected versions of the mlflow package are vulnerable to Stored Cross-Site Scripting due to unsafe parsing of YAML-based MLmodel artifacts when rendered in the web interface. The web UI processes attacker-supplied fields from uploaded ML model files without adequate output sanitization, allowing embedded payloads to be emitted into the rendered artifact view and executed in the browser of any user who opens the artifact. An authenticated attacker who uploads a malicious ML model file can trigger script execution in the context of a victim's session, enabling session hijacking or actions performed on the victim's behalf.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260407-39486/CVE-2026-33865
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33865
- https://data.safetycli.com/changelogs/mlflow/
- https://github.com/advisories/GHSA-fh64-r2vc-xvhr
- https://pypi.org/project/mlflow
- https://nvd.nist.gov/vuln/detail/CVE-2026-33865
- https://github.com/mlflow/mlflow/pull/21435
- https://cert.pl/en/posts/2026/04/CVE-2026-33865
- https://github.com/mlflow/mlflow/commit/aca4dd0ec88a12f7655155c224371280e9b45dda
- https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors
- https://github.com/advisories/GHSA-fh64-r2vc-xvhr
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more