External risk intelligence

MLflow Assistant Remote Command Execution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-2611

The vulnerability affects the MLflow Assistant running on a user's local machine, specifically targeting loopback-only restrictions. It requires a victim to browse a malicious webpage while the local assistant is active, which is a client-side interaction pattern that is not typically exposed to the public internet as a service.

Lfprojects Mlflow

3.9.0 to before 3.10.0

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the MLflow Assistant feature that could allow remote attackers to execute arbitrary commands by tricking users into visiting a malicious webpage. This flaw bypasses security restrictions, potentially enabling unauthorized system access through the Claude Code sub-agent.

  • Weak validation allows remote command execution.
  • Local machine compromise is a potential high-level risk.
  • Confirming local exposure is the primary leadership concern.

Attack Path

How an attacker could exploit the issue

An attacker can initiate a malicious attack by luring a user to a compromised webpage. This webpage would exploit the MLflow Assistant's improper origin validation to bypass local restrictions, leading to configuration changes that enable arbitrary command execution. This attack requires the victim to actively visit the malicious site while the vulnerable MLflow Assistant is running.

  • Requires user to visit malicious site.
  • Bypasses local origin validation to alter configuration.
  • Allows arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow a remote attacker to execute arbitrary commands on a victim's local machine when interacting with the MLflow Assistant. This occurs when a user visits a malicious webpage, leading to cross-origin requests that bypass loopback restrictions and enable full access to the Assistant's configuration.

  • Local MLflow Assistant configuration.
  • Cross-origin requests from malicious webpages.
  • Arbitrary command execution on the victim's machine.

Operational Fix

Recommended remediation, mitigation, and detection steps

The MLflow Assistant feature is likely managed by application owners or platform teams who ensure its proper configuration and security. The first practical step is to identify all instances of the affected MLflow version, determine their network exposure and business criticality, and then engage the accountable owner to plan for remediation.

  • Application owners should manage this issue.
  • Verify MLflow Assistant's network reachability first.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MLflow and its Assistant feature?

MLflow is an open-source platform managed by LF Projects used by data scientists to manage the machine learning lifecycle, including experimentation and deployment. The MLflow Assistant is an integrated feature that provides AI-assisted coding and workflow help, acting as a sub-agent. It is designed to run locally, providing developers with assistance directly within their machine learning development environment.

How does CVE-2026-2611 work?

This vulnerability involves improper origin validation, classified as CWE-346 and CWE-940. Because the software fails to verify where a request originates, a malicious website can send cross-origin requests to the MLflow Assistant running on your computer. This tricks the assistant into accepting commands from the web, which allows an attacker to change configurations and run arbitrary code via the Claude Code sub-agent.

Do I need to be running a specific service for this to trigger?

Yes. The vulnerability specifically targets the local MLflow Assistant. It is triggered when you are actively running the vulnerable version of the assistant on your machine and you visit a malicious webpage. It will not trigger if the MLflow Assistant is completely shut down, nor does it rely on automated background scanning; the attack requires a user-driven interaction with a malicious site while the local service is active.

Is my MLflow setup at risk?

According to Halo Surface Signal, this risk is very unlikely for typical server-side deployments because the vulnerability targets local machine loopback restrictions. It requires a user to be actively browsing the internet while the local assistant is running. If your MLflow instances are strictly used as internal, non-interactive services without a browser-based frontend, the attack vector is significantly reduced.

What is the first step to address this?

The most effective way to secure your environment is to update to MLflow version 3.10.0 or later, which resolves the origin validation flaw. Before updating, identify all local developer workstations or environments where MLflow 3.9.0 is currently active. Once identified, ensure those users are aware of the risk and prioritize applying the software update to replace the vulnerable components.

References