# [CRIT] [GHSA / CRITICAL] CVE-2026-2611: MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution **Source:** GitHub Security Advisories **Published:** 2026-05-19 **Article:** https://github.com/advisories/GHSA-67c5-x5mf-rppq ## Threat Profile MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assist… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-2611` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1059.001** — PowerShell - **T1059.003** — Windows Command Shell - **T1059.004** — Unix Shell - **T1068** — Exploitation for Privilege Escalation ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Vulnerable MLflow 3.9.0 install — CVE-2026-2611 Assistant /ajax-api origin bypass `UC_264_1` · phase: **weapon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Vulnerabilities where Vulnerabilities.cve="CVE-2026-2611" OR (Vulnerabilities.product="mlflow" AND Vulnerabilities.signature="3.9.0") by Vulnerabilities.dest Vulnerabilities.product Vulnerabilities.signature Vulnerabilities.cve | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql // CVE-2026-2611 — MLflow Assistant /ajax-api origin bypass; only 3.9.0 is vulnerable, fixed in 3.10.0 DeviceTvmSoftwareInventory | where SoftwareName =~ "mlflow" | where SoftwareVersion startswith "3.9.0" | join kind=leftouter ( DeviceTvmSoftwareVulnerabilities | where CveId =~ "CVE-2026-2611" | project DeviceId, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate ) on DeviceId | project Timestamp, DeviceName, DeviceId, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate | order by Timestamp desc ``` ### MLflow server process spawning Claude Code CLI or shell — CVE-2026-2611 RCE chain `UC_264_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as child_cmd values(Processes.parent_process) as parent_cmd from datamodel=Endpoint.Processes where (Processes.parent_process="*mlflow*" OR Processes.parent_process_name IN ("mlflow","mlflow.exe")) AND (Processes.process_name IN ("claude","claude.exe","cmd.exe","powershell.exe","pwsh.exe","bash","sh","zsh","dash")) by host Processes.dest Processes.user Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql // CVE-2026-2611 — MLflow Assistant invokes Claude Code sub-agent or shell after /ajax-api origin bypass DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessCommandLine has "mlflow" or InitiatingProcessFileName in~ ("mlflow","mlflow.exe") | where FileName in~ ("claude","claude.exe","cmd.exe","powershell.exe","pwsh.exe","bash","sh","zsh","dash") or ProcessCommandLine has_any ("claude -p ","claude --print","claude code") | where AccountName !endswith "$" | where InitiatingProcessFileName in~ ("python.exe","python","python3","python3.exe","gunicorn","gunicorn.exe","mlflow","mlflow.exe","uvicorn","uvicorn.exe") | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-2611` ## Why this matters Severity classified as **CRIT** based on: CVE present, 3 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.