- CVSS
- HIGH · 7.1 v3.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
- Published
- 2026-05-11
- Weakness
- CWE-918
- Source
- nvd.nist.gov/vuln/detail/CVE-2026-2393
Description
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The _create_webhook() function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the _send_webhook_request() function in mlflow/webhooks/delivery.py sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.
References
How GTK Cyber trains on this
AI security training at GTK Cyber covers the LLM and ML-pipeline vulnerability classes that vulnerabilities like CVE-2026-2393 fall into. Our hands-on courses are taught by Charles Givre and other practitioners who break and defend production AI systems.