CVE-2023-4033 — HIGH (CVSS 7.8) AI Security Vulnerability

Q: Is CVE-2023-4033 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-4033, increasing the risk of exploitation.

Q: How to fix CVE-2023-4033?

1. **Patch immediately**: Upgrade MLflow to >= 2.6.0 (patch commit: 6dde937). Verify with `pip show mlflow`. 2. **Least privilege**: Ensure MLflow tracking server runs as a dedicated non-root service account with minimal filesystem permissions. 3. **Access control**: Restrict local shell access to MLflow hosts; enforce SSH key-based auth with MFA for jump hosts. 4. **Secrets hygiene**: Remove cloud credentials and API keys from MLflow process environment variables; use IAM instance roles or secrets managers instead. 5. **Network isolation**: MLflow servers should not be internet-facing; place behind internal VPN or service mesh. 6. **Detection**: Alert on anomalous child processes spawned by the MLflow process (e.g., `bash`, `sh`, `curl`, `wget` as subprocesses of the MLflow PID). 7. **Audit**: Review MLflow server logs for unexpected experiment names or artifact paths containing shell metacharacters.

CISO Take

Any low-privileged local user on an MLflow server running < 2.6.0 can execute arbitrary OS commands — no special skills required. Upgrade to 2.6.0 immediately; MLflow nodes often sit adjacent to training data, model artifacts, and cloud credentials, making lateral movement trivial post-exploitation. Audit who has shell access to your MLflow hosts and ensure the service does not run as root.

Risk Assessment

CVSS 7.8 with low complexity and no user interaction makes this straightforward to exploit for anyone with local shell access. While AV:L limits remote exploitation, MLflow is routinely deployed on shared infrastructure (Kubernetes worker nodes, multi-tenant GPU clusters, Jupyter environments) where 'local access' is broadly distributed among data scientists and engineers. AI/ML environments historically have weaker endpoint hardening than production application servers, increasing the real-world exposure significantly. EPSS of 0.002 suggests limited in-the-wild exploitation to date, but the low barrier makes opportunistic abuse realistic.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →
mlflow	pip	< 2.6.0	`2.6.0`
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 39% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

7 steps

Patch immediately

Upgrade MLflow to >= 2.6.0 (patch commit: 6dde937). Verify with pip show mlflow.
Least privilege

Ensure MLflow tracking server runs as a dedicated non-root service account with minimal filesystem permissions.
Access control

Restrict local shell access to MLflow hosts; enforce SSH key-based auth with MFA for jump hosts.
Secrets hygiene

Remove cloud credentials and API keys from MLflow process environment variables; use IAM instance roles or secrets managers instead.
Network isolation

MLflow servers should not be internet-facing; place behind internal VPN or service mesh.
Detection

Alert on anomalous child processes spawned by the MLflow process (e.g., bash, sh, curl, wget as subprocesses of the MLflow PID).
Audit

Review MLflow server logs for unexpected experiment names or artifact paths containing shell metacharacters.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Training Data Model AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security A.9.1 - Monitoring and measurement of AI systems

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms to respond to detected AI risks

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2023-4033?

Any low-privileged local user on an MLflow server running < 2.6.0 can execute arbitrary OS commands — no special skills required. Upgrade to 2.6.0 immediately; MLflow nodes often sit adjacent to training data, model artifacts, and cloud credentials, making lateral movement trivial post-exploitation. Audit who has shell access to your MLflow hosts and ensure the service does not run as root.

Is CVE-2023-4033 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-4033, increasing the risk of exploitation.

How to fix CVE-2023-4033?

1. **Patch immediately**: Upgrade MLflow to >= 2.6.0 (patch commit: 6dde937). Verify with `pip show mlflow`. 2. **Least privilege**: Ensure MLflow tracking server runs as a dedicated non-root service account with minimal filesystem permissions. 3. **Access control**: Restrict local shell access to MLflow hosts; enforce SSH key-based auth with MFA for jump hosts. 4. **Secrets hygiene**: Remove cloud credentials and API keys from MLflow process environment variables; use IAM instance roles or secrets managers instead. 5. **Network isolation**: MLflow servers should not be internet-facing; place behind internal VPN or service mesh. 6. **Detection**: Alert on anomalous child processes spawned by the MLflow process (e.g., `bash`, `sh`, `curl`, `wget` as subprocesses of the MLflow PID). 7. **Audit**: Review MLflow server logs for unexpected experiment names or artifact paths containing shell metacharacters.

What systems are affected by CVE-2023-4033?

This vulnerability affects the following AI/ML architecture patterns: ML experiment tracking platforms, model training pipelines, model registry, MLOps CI/CD pipelines, shared GPU training clusters.

What is the CVSS score for CVE-2023-4033?

CVE-2023-4033 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.18%.

Technical Details

NVD Description

OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.

Exploitation Scenario

An attacker (e.g., a malicious insider, compromised data scientist account, or attacker who pivoted from a Jupyter notebook) logs into a shared ML training server. They identify the MLflow tracking server is running a vulnerable version. They craft a malicious input — such as a specially constructed experiment name, artifact path, or parameter value containing shell metacharacters — that triggers unsanitized OS command execution. Within seconds they spawn a reverse shell (AML.T0072) running as the mlflow service user, then enumerate environment variables to harvest S3 credentials, access the model registry to exfiltrate proprietary model weights, and potentially pivot to the training data lake. The entire attack chain requires only basic Linux knowledge and takes under five minutes.