VYPR
Medium severity4.3NVD Advisory· Published Apr 7, 2026· Updated Apr 20, 2026

CVE-2026-33866

CVE-2026-33866

Description

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.

This issue affects MLflow version through 3.10.1

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mlflowPyPI
< 3.11.0rc03.11.0rc0

Affected products

6

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.