MLflow CORS Vulnerability in Assistant Feature Allows Remote Code Execution

A vulnerability in the MLflow Assistant feature introduced in version 3.9.0 allows for improper origin validation in the '/ajax-api' endpoints. This issue enables remote attackers to exploit cross-origin requests from malicious webpages to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, attackers can modify the Assistant's configuration to grant full access, thereby executing arbitrary commands via the Claude Code sub-agent. The vulnerability arises because the CORS blocking middleware does not apply to the Assistant's AJAX API endpoints, which are accessible from the loopback interface.

Impact

Exploitation of this vulnerability leads to unauthorized command execution on the local machine where MLflow is running, through the MLflow Assistant's integration with Claude Code.

Reproduction

To reproduce this vulnerability, first deploy MLflow version 3.9.0 and ensure that the MLflow Assistant is active. Then, create a malicious webpage that sends cross-origin requests to the MLflow Assistant's AJAX API endpoints, bypassing the intended loopback-only restriction. When the victim visits the webpage, the requests will be sent to the local MLflow instance, allowing the attacker to manipulate the Assistant's configuration and execute commands.

Remediation

Users can upgrade to MLflow version 3.10.0 or later, where this vulnerability has been fixed.