CVE-2026-2393 | MLflow up to 3.9.x HTTP POST Request handlers.py _create_webhook url server-side request forgery

May 11, 2026 Yanac

A vulnerability was found in MLflow up to 3.9.x. It has been rated as critical. Impacted is the function _create_webhook of the file mlflow/server/handlers.py of the component HTTP POST Request Handler. This manipulation of the argument url causes server-side request forgery.

The identification of this vulnerability is CVE-2026-2393. It is possible to initiate the attack remotely. There is no exploit available.

Upgrading the affected component is advised.VulDB Recent EntriesRead More