Executive Summary

CVE-2026-33865 is a Stored Cross-Site Scripting (XSS) vulnerability in MLflow versions up to 3.10.1. It occurs because MLflow's web interface unsafely parses YAML-based MLmodel artifact files. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes JavaScript code when another user views the artifact in the UI.

This unsafe parsing happens due to the use of the `yaml.load()` function from the js-yaml library, which supports JavaScript-specific YAML tags that can be exploited to run arbitrary code. The vulnerability allows attackers to perform actions such as session hijacking or executing operations on behalf of the victim user.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker to execute malicious JavaScript code in your browser when you view a compromised MLmodel artifact in the MLflow UI.

• Session hijacking, where the attacker can steal your session and impersonate you.
• Performing unauthorized operations on your behalf within the MLflow application.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying whether your MLflow installation is running a vulnerable version (up to and including 3.10.1) and if malicious MLmodel YAML artifacts have been uploaded and viewed in the web interface.

Since the vulnerability is a stored Cross-Site Scripting (XSS) caused by unsafe YAML parsing in the MLflow web UI, detection can include:

• Checking the MLflow version to confirm if it is 3.10.1 or earlier.
• Reviewing uploaded MLmodel artifact files for suspicious YAML content, especially those containing JavaScript-specific YAML tags like !!js/function.
• Monitoring web interface logs or user activity for unexpected script execution or unusual behavior when viewing MLmodel artifacts.

Specific commands are not provided in the available resources, but you can use commands to check the MLflow version, for example:

• `mlflow --version`
• To inspect MLmodel files, you can use standard file inspection commands such as `cat` or `less` on the artifact files stored in your MLflow artifact storage.
• For searching suspicious YAML tags in MLmodel files, you might use grep commands like: `grep -r '!!js/function' /path/to/mlflow/artifacts`

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade MLflow to version 3.10.2 or later, where the vulnerability has been fixed by replacing unsafe YAML parsing (`yaml.load()`) with a safe alternative (`yaml.safeLoad()`).

Additional immediate steps include:

• Restricting upload permissions to trusted authenticated users to prevent malicious MLmodel files from being uploaded.
• Reviewing and removing any suspicious MLmodel artifacts that may contain malicious payloads.
• Monitoring user activity and web interface logs for signs of exploitation.

Applying the patch or upgrade as soon as possible is the most effective way to eliminate the attack vector.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated attacker to execute stored Cross-Site Scripting (XSS) attacks by uploading malicious MLmodel files that execute when viewed by other users. This can lead to session hijacking and unauthorized actions performed on behalf of victims.

Such unauthorized access and actions could potentially lead to breaches of confidentiality and integrity of user data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information against unauthorized access and attacks.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with specific standards or regulations.

Useful 0 Not Useful 0