CVE-2022-0736: MLflow insecure temp file handling

CISO Take

MLflow experiment tracking servers with network exposure are vulnerable to unauthenticated DoS via insecure temporary file handling — no credentials required. Patch to 1.23.1 immediately; if delayed, isolate MLflow behind internal network controls. This disrupts ML training pipelines and model registry availability, not data confidentiality.

What is the risk?

Risk is HIGH for teams running MLflow with any network exposure (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). Low attack complexity means opportunistic exploitation is plausible even without targeted intent. Not in CISA KEV and no public PoC weaponization confirmed, which moderates urgency slightly. However, the no-auth vector in ML infrastructure makes this a priority patch for production MLOps environments.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

1.6%

chance of exploitation in 30 days

Higher than 72% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

PATCH

Upgrade MLflow to 1.23.1+ immediately — this is the only full remediation.
ISOLATE

If patching is delayed, restrict MLflow server access to internal network only via firewall/security group rules; remove any public internet exposure.
DETECT

Monitor for repeated MLflow service crashes, anomalous temp file creation bursts in /tmp or MLflow working directories, and unexpected service restarts.
AUDIT

Inventory all MLflow deployments across dev/staging/prod and prioritize internet-facing instances.
HARDEN

Run MLflow under a dedicated low-privilege service account with restricted filesystem permissions.

How is it classified?

DoS Framework Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - Information security in AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-0736?

MLflow experiment tracking servers with network exposure are vulnerable to unauthenticated DoS via insecure temporary file handling — no credentials required. Patch to 1.23.1 immediately; if delayed, isolate MLflow behind internal network controls. This disrupts ML training pipelines and model registry availability, not data confidentiality.

Is CVE-2022-0736 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-0736, increasing the risk of exploitation.

How to fix CVE-2022-0736?

1. PATCH: Upgrade MLflow to 1.23.1+ immediately — this is the only full remediation. 2. ISOLATE: If patching is delayed, restrict MLflow server access to internal network only via firewall/security group rules; remove any public internet exposure. 3. DETECT: Monitor for repeated MLflow service crashes, anomalous temp file creation bursts in /tmp or MLflow working directories, and unexpected service restarts. 4. AUDIT: Inventory all MLflow deployments across dev/staging/prod and prioritize internet-facing instances. 5. HARDEN: Run MLflow under a dedicated low-privilege service account with restricted filesystem permissions.

What systems are affected by CVE-2022-0736?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps/CI-CD pipelines.

What is the CVSS score for CVE-2022-0736?

CVE-2022-0736 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.55%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps/CI-CD pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.10.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.

Exploitation Scenario

An adversary with network-level access to a MLflow tracking server — including a compromised internal network or misconfigured VPC — sends crafted HTTP requests that trigger insecure temporary file creation. By exploiting the race condition (TOCTOU) or symlink substitution against predictably named temp files, the attacker causes MLflow to fail when writing artifacts or processing uploads. In a production MLOps pipeline, repeated crashes halt automated model training jobs and block deployments, creating a denial-of-service condition against the ML lifecycle without requiring any credentials.