VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-pk3j-kucq-33ca

Essentials
Severities (16)
References (8)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-pk3j-kucq-33ca
Aliases	CVE-2026-2611 GHSA-67c5-x5mf-rppq
Summary	mlflow: MLflow: Arbitrary Code Execution via Improper Origin Validation
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-940	Improper Verification of Source of a Communication Channel
CWE-346	Origin Validation Error

System	Score	Found at
cvssv3	9.6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2611.json
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-2611
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-2611
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-67c5-x5mf-rppq
cvssv3.1	9.6	https://github.com/mlflow/mlflow
generic_textual	CRITICAL	https://github.com/mlflow/mlflow
cvssv3	9.6	https://github.com/mlflow/mlflow/commit/8f9c8a53af90842944101eb8b7d60706822c81bc
cvssv3.1	9.6	https://github.com/mlflow/mlflow/commit/8f9c8a53af90842944101eb8b7d60706822c81bc
generic_textual	CRITICAL	https://github.com/mlflow/mlflow/commit/8f9c8a53af90842944101eb8b7d60706822c81bc
ssvc	Track*	https://github.com/mlflow/mlflow/commit/8f9c8a53af90842944101eb8b7d60706822c81bc
cvssv3	9.6	https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a
cvssv3.1	9.6	https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a
generic_textual	CRITICAL	https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a
ssvc	Track*	https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a
cvssv3.1	9.6	https://nvd.nist.gov/vuln/detail/CVE-2026-2611
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2026-2611

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2611.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-2611
		https://github.com/mlflow/mlflow
		https://github.com/mlflow/mlflow/commit/8f9c8a53af90842944101eb8b7d60706822c81bc
		https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a
		https://nvd.nist.gov/vuln/detail/CVE-2026-2611
2479797		https://bugzilla.redhat.com/show_bug.cgi?id=2479797
GHSA-67c5-x5mf-rppq		https://github.com/advisories/GHSA-67c5-x5mf-rppq

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2611.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/mlflow/mlflow

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/mlflow/mlflow/commit/8f9c8a53af90842944101eb8b7d60706822c81bc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/mlflow/mlflow/commit/8f9c8a53af90842944101eb8b7d60706822c81bc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-19T13:26:07Z/ Found at https://github.com/mlflow/mlflow/commit/8f9c8a53af90842944101eb8b7d60706822c81bc

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-19T13:26:07Z/ Found at https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-2611

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.11287
EPSS Score	0.00036
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:28:29.819718+00:00	RedHat Importer	Import	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2611.json	38.6.0