CVE-2023-6014 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any unauthenticated attacker with network access to your MLflow instance can create accounts — including admin-level accounts — without any credentials. If MLflow is exposed beyond localhost (internal network, VPN, or internet), treat this as a full platform compromise: attacker gains access to experiments, model artifacts, and training data. Patch immediately and audit existing accounts for unauthorized entries.

Risk Assessment

CRITICAL. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable by any attacker with network reach. MLflow is frequently deployed with minimal network controls in data science environments, often on internal ports accessible to broad corporate segments or even exposed to the internet. The combination of zero-barrier exploitation and access to high-value ML assets (models, training data, experiment logs) elevates real-world risk beyond the already-critical score.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.9%

chance of exploitation in 30 days

Higher than 75% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

IMMEDIATE

Restrict MLflow network access to localhost or VPN-only via firewall rules — block public/internal exposure if patching is delayed.
PATCH

Upgrade MLflow to the version that addresses this vulnerability (check huntr advisory for specific fixed version; review MLflow changelog post-2023-11-16).
AUDIT

Query MLflow user database for accounts created after the vulnerability disclosure date; remove unrecognized accounts and rotate all API tokens.
DETECT

Enable MLflow access logs and alert on account creation events; correlate with known user provisioning workflows.
HARDEN

Deploy MLflow behind a reverse proxy with authentication (OAuth2/OIDC) as a defense-in-depth layer regardless of built-in auth status.
VERIFY

Confirm no unauthorized model versions were registered or existing models tampered with post-incident.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Supply Chain Framework Training Data Model AML.T0010.001 - AI Software AML.T0012 - Valid Accounts AML.T0021 - Establish Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system

ISO 42001

A.6.2.6 - AI system access control A.9.1 - AI system logging and monitoring

NIST AI RMF

GOVERN-6.1 - Policies for AI risk and security MANAGE-2.2 - Mechanisms to sustain treatment of AI risks

Frequently Asked Questions

What is CVE-2023-6014?

Any unauthenticated attacker with network access to your MLflow instance can create accounts — including admin-level accounts — without any credentials. If MLflow is exposed beyond localhost (internal network, VPN, or internet), treat this as a full platform compromise: attacker gains access to experiments, model artifacts, and training data. Patch immediately and audit existing accounts for unauthorized entries.

Is CVE-2023-6014 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6014, increasing the risk of exploitation.

How to fix CVE-2023-6014?

1. IMMEDIATE: Restrict MLflow network access to localhost or VPN-only via firewall rules — block public/internal exposure if patching is delayed. 2. PATCH: Upgrade MLflow to the version that addresses this vulnerability (check huntr advisory for specific fixed version; review MLflow changelog post-2023-11-16). 3. AUDIT: Query MLflow user database for accounts created after the vulnerability disclosure date; remove unrecognized accounts and rotate all API tokens. 4. DETECT: Enable MLflow access logs and alert on account creation events; correlate with known user provisioning workflows. 5. HARDEN: Deploy MLflow behind a reverse proxy with authentication (OAuth2/OIDC) as a defense-in-depth layer regardless of built-in auth status. 6. VERIFY: Confirm no unauthorized model versions were registered or existing models tampered with post-incident.

What systems are affected by CVE-2023-6014?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, training pipelines, experiment tracking, model serving.

What is the CVSS score for CVE-2023-6014?

CVE-2023-6014 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.88%.

Technical Details

NVD Description

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.

Exploitation Scenario

Adversary scans for MLflow instances on default port 5000 or common enterprise ports. Using the huntr PoC, sends a crafted HTTP GET request with credentials embedded in query parameters to the MLflow account creation endpoint, bypassing authentication checks. Within seconds, the attacker has a valid MLflow account. They proceed to enumerate all registered models via the Model Registry API, download production model binaries for IP theft or offline analysis, inspect experiment runs to reconstruct proprietary training pipelines and datasets, and register a backdoored model version pointing to a malicious artifact — which downstream CI/CD pipelines may automatically promote to staging or production.