Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-2611 -- CVSS 9.6 Vulnerability Briefing

CVE-2026-2611 | CVSS 9.6 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-2611 is an improper origin validation vulnerability in MLflow version 3.9.0, specifically affecting the /ajax-api endpoints introduced by the MLflow Assistant feature, which allows cross-origin request abuse by remote unauthenticated attackers.

Technical Detail

The flaw stems from insufficient validation of the Origin header on /ajax-api endpoints in MLflow 3.9.0, enabling a remote attacker to perform cross-site request forgery (CSRF) or cross-origin request injection against authenticated MLflow sessions. An attacker can craft a malicious web page or resource that causes a victim's browser to issue unauthorized requests to the MLflow API on their behalf, potentially allowing unauthorized access to model artifacts, experiment data, or administrative functions. Depending on the privileges of the targeted session, exploitation could result in data exfiltration, model tampering, or further lateral movement within an MLOps environment.

Exploitation Status

No known exploit code has been publicly observed as of this writing, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Exploit maturity is assessed as none at this time, meaning no public proof-of-concept or operational tooling has been confirmed. However, the high CVSS score of 9.6 and the accessible nature of browser-based cross-origin attacks lower the technical barrier for exploitation development.

Who Is Targeting This

Confirmed (ATTAX-verified): FIN8 (origin unspecified, motivation unknown), FIN6 (origin unspecified, motivation unknown), Scattered Spider (origin unspecified, motivation unknown), APT28 (origin: Russia, motivation: nation-state), and Evilnum (origin unspecified, motivation unknown). No additional reported or research-inferred actor attribution is on record at this time. The breadth of confirmed actors spanning financially motivated groups and a Russian nation-state actor suggests this vulnerability is of broad interest across threat categories, though specific campaign activity tied to this CVE has not been confirmed.

What To Do

Organizations running MLflow 3.9.0 should prioritize patching to the latest available version that addresses this origin validation flaw. If an immediate upgrade is not feasible, restrict access to MLflow /ajax-api endpoints at the network perimeter, ensuring they are not exposed to untrusted networks or the public internet. Enforce authentication and session controls on all MLflow interfaces, and consider deploying a web application firewall rule to block cross-origin requests to /ajax-api paths from unauthorized origins. Monitor MLflow access logs for anomalous cross-origin request patterns or unexpected API calls originating from browser-based sessions. Given the confirmed interest from multiple high-capability threat actors, this vulnerability should be treated as high priority for remediation regardless of current exploit maturity.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →