AI Threat Alert AI Threat Alert

CVE-2022-0736: MLflow: insecure temp file handling causes DoS

HIGH PoC AVAILABLE
Published February 23, 2022
CISO Take

MLflow experiment tracking servers with network exposure are vulnerable to unauthenticated DoS via insecure temporary file handling — no credentials required. Patch to 1.23.1 immediately; if delayed, isolate MLflow behind internal network controls. This disrupts ML training pipelines and model registry availability, not data confidentiality.

Risk Assessment

Risk is HIGH for teams running MLflow with any network exposure (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). Low attack complexity means opportunistic exploitation is plausible even without targeted intent. Not in CISA KEV and no public PoC weaponization confirmed, which moderates urgency slightly. However, the no-auth vector in ML infrastructure makes this a priority patch for production MLOps environments.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 70% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade MLflow to 1.23.1+ immediately — this is the only full remediation.

  2. ISOLATE

    If patching is delayed, restrict MLflow server access to internal network only via firewall/security group rules; remove any public internet exposure.

  3. DETECT

    Monitor for repeated MLflow service crashes, anomalous temp file creation bursts in /tmp or MLflow working directories, and unexpected service restarts.

  4. AUDIT

    Inventory all MLflow deployments across dev/staging/prod and prioritize internet-facing instances.

  5. HARDEN

    Run MLflow under a dedicated low-privilege service account with restricted filesystem permissions.

Classification

DoS Framework Training Data AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - Information security in AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-0736?

MLflow experiment tracking servers with network exposure are vulnerable to unauthenticated DoS via insecure temporary file handling — no credentials required. Patch to 1.23.1 immediately; if delayed, isolate MLflow behind internal network controls. This disrupts ML training pipelines and model registry availability, not data confidentiality.

Is CVE-2022-0736 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-0736, increasing the risk of exploitation.

How to fix CVE-2022-0736?

1. PATCH: Upgrade MLflow to 1.23.1+ immediately — this is the only full remediation. 2. ISOLATE: If patching is delayed, restrict MLflow server access to internal network only via firewall/security group rules; remove any public internet exposure. 3. DETECT: Monitor for repeated MLflow service crashes, anomalous temp file creation bursts in /tmp or MLflow working directories, and unexpected service restarts. 4. AUDIT: Inventory all MLflow deployments across dev/staging/prod and prioritize internet-facing instances. 5. HARDEN: Run MLflow under a dedicated low-privilege service account with restricted filesystem permissions.

What systems are affected by CVE-2022-0736?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps/CI-CD pipelines.

What is the CVSS score for CVE-2022-0736?

CVE-2022-0736 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.63%.

Technical Details

NVD Description

Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.

Exploitation Scenario

An adversary with network-level access to a MLflow tracking server — including a compromised internal network or misconfigured VPC — sends crafted HTTP requests that trigger insecure temporary file creation. By exploiting the race condition (TOCTOU) or symlink substitution against predictably named temp files, the attacker causes MLflow to fail when writing artifacts or processing uploads. In a production MLOps pipeline, repeated crashes halt automated model training jobs and block deployments, creating a denial-of-service condition against the ML lifecycle without requiring any credentials.

Weaknesses (CWE)

CWE-377

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
February 23, 2022
Last Modified
November 21, 2024
First Seen
February 23, 2022

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed