MLflow 3.11.1 Patches Critical XSS Vulnerability (CVE-2026-33865) in Model Artifact UI

A critical security flaw in the MLflow machine learning platform has been patched, exposing authenticated users to session hijacking and unauthorized actions. The vulnerability, tracked as CVE-2026-33865, is a Stored Cross-Site Scripting (XSS) weakness in the platform's web interface. It stems from unsafe parsing of YAML-based MLmodel artifacts, allowing an attacker to embed malicious code that executes automatically when another user views the compromised artifact within the UI.

The vulnerability specifically affects the MLflow UI's handling of uploaded MLmodel files. An authenticated user with upload privileges could craft a malicious YAML file containing a script payload. When a victim—such as a data scientist or team member—opens this artifact to view its details, the embedded payload executes in their browser context. This creates a direct vector for an insider or a compromised account to steal session cookies, impersonate users, or perform actions on their behalf without their knowledge.

The patch, delivered in version 3.11.1, addresses the unsafe parsing mechanism. The update was flagged as a security priority and auto-closed the corresponding dependency update request. This incident highlights the persistent security risks in MLOps toolchains where trusted internal platforms become attack surfaces. Teams using MLflow for experiment tracking and model registry must prioritize this update to mitigate the risk of internal account compromise and lateral movement within AI development pipelines.