CVE-2023-4033: MLflow OS command injection enables

Q: Is CVE-2023-4033 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-4033, increasing the risk of exploitation.

Q: How to fix CVE-2023-4033?

1. **Patch immediately**: Upgrade MLflow to >= 2.6.0 (patch commit: 6dde937). Verify with `pip show mlflow`. 2. **Least privilege**: Ensure MLflow tracking server runs as a dedicated non-root service account with minimal filesystem permissions. 3. **Access control**: Restrict local shell access to MLflow hosts; enforce SSH key-based auth with MFA for jump hosts. 4. **Secrets hygiene**: Remove cloud credentials and API keys from MLflow process environment variables; use IAM instance roles or secrets managers instead. 5. **Network isolation**: MLflow servers should not be internet-facing; place behind internal VPN or service mesh. 6. **Detection**: Alert on anomalous child processes spawned by the MLflow process (e.g., `bash`, `sh`, `curl`, `wget` as subprocesses of the MLflow PID). 7. **Audit**: Review MLflow server logs for unexpected experiment names or artifact paths containing shell metacharacters.

CISO Take

Any low-privileged local user on an MLflow server running < 2.6.0 can execute arbitrary OS commands — no special skills required. Upgrade to 2.6.0 immediately; MLflow nodes often sit adjacent to training data, model artifacts, and cloud credentials, making lateral movement trivial post-exploitation. Audit who has shell access to your MLflow hosts and ensure the service does not run as root.

What is the risk?

CVSS 7.8 with low complexity and no user interaction makes this straightforward to exploit for anyone with local shell access. While AV:L limits remote exploitation, MLflow is routinely deployed on shared infrastructure (Kubernetes worker nodes, multi-tenant GPU clusters, Jupyter environments) where 'local access' is broadly distributed among data scientists and engineers. AI/ML environments historically have weaker endpoint hardening than production application servers, increasing the real-world exposure significantly. EPSS of 0.002 suggests limited in-the-wild exploitation to date, but the low barrier makes opportunistic abuse realistic.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →
MLflow	pip	< 2.6.0	`2.6.0`
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

1.2%

chance of exploitation in 30 days

Higher than 64% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

Patch immediately

Upgrade MLflow to >= 2.6.0 (patch commit: 6dde937). Verify with pip show mlflow.
Least privilege

Ensure MLflow tracking server runs as a dedicated non-root service account with minimal filesystem permissions.
Access control

Restrict local shell access to MLflow hosts; enforce SSH key-based auth with MFA for jump hosts.
Secrets hygiene

Remove cloud credentials and API keys from MLflow process environment variables; use IAM instance roles or secrets managers instead.
Network isolation

MLflow servers should not be internet-facing; place behind internal VPN or service mesh.
Detection

Alert on anomalous child processes spawned by the MLflow process (e.g., bash, sh, curl, wget as subprocesses of the MLflow PID).
Audit

Review MLflow server logs for unexpected experiment names or artifact paths containing shell metacharacters.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Training Data Model AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security A.9.1 - Monitoring and measurement of AI systems

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms to respond to detected AI risks

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2023-4033?

Any low-privileged local user on an MLflow server running < 2.6.0 can execute arbitrary OS commands — no special skills required. Upgrade to 2.6.0 immediately; MLflow nodes often sit adjacent to training data, model artifacts, and cloud credentials, making lateral movement trivial post-exploitation. Audit who has shell access to your MLflow hosts and ensure the service does not run as root.

Is CVE-2023-4033 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-4033, increasing the risk of exploitation.

How to fix CVE-2023-4033?

1. **Patch immediately**: Upgrade MLflow to >= 2.6.0 (patch commit: 6dde937). Verify with `pip show mlflow`. 2. **Least privilege**: Ensure MLflow tracking server runs as a dedicated non-root service account with minimal filesystem permissions. 3. **Access control**: Restrict local shell access to MLflow hosts; enforce SSH key-based auth with MFA for jump hosts. 4. **Secrets hygiene**: Remove cloud credentials and API keys from MLflow process environment variables; use IAM instance roles or secrets managers instead. 5. **Network isolation**: MLflow servers should not be internet-facing; place behind internal VPN or service mesh. 6. **Detection**: Alert on anomalous child processes spawned by the MLflow process (e.g., `bash`, `sh`, `curl`, `wget` as subprocesses of the MLflow PID). 7. **Audit**: Review MLflow server logs for unexpected experiment names or artifact paths containing shell metacharacters.

What systems are affected by CVE-2023-4033?

This vulnerability affects the following AI/ML architecture patterns: ML experiment tracking platforms, model training pipelines, model registry, MLOps CI/CD pipelines, shared GPU training clusters.

What is the CVSS score for CVE-2023-4033?

CVE-2023-4033 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 1.20%.

What is the AI security impact?

Affected AI Architectures

ML experiment tracking platformsmodel training pipelinesmodel registryMLOps CI/CD pipelinesshared GPU training clusters

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0050 Command and Scripting Interpreter

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6, A.9.1

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.

Exploitation Scenario

An attacker (e.g., a malicious insider, compromised data scientist account, or attacker who pivoted from a Jupyter notebook) logs into a shared ML training server. They identify the MLflow tracking server is running a vulnerable version. They craft a malicious input — such as a specially constructed experiment name, artifact path, or parameter value containing shell metacharacters — that triggers unsanitized OS command execution. Within seconds they spawn a reverse shell (AML.T0072) running as the mlflow service user, then enumerate environment variables to harvest S3 credentials, access the model registry to exfiltrate proprietary model weights, and potentially pivot to the training data lake. The entire attack chain requires only basic Linux knowledge and takes under five minutes.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

[Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
[Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.