AI Threat Alert

CVE-2023-6014: MLflow: auth bypass allows arbitrary account creation

CRITICAL PoC AVAILABLE CISA: ATTEND
Published November 16, 2023
CISO Take

Any unauthenticated attacker with network access to your MLflow instance can create accounts — including admin-level accounts — without any credentials. If MLflow is exposed beyond localhost (internal network, VPN, or internet), treat this as a full platform compromise: attacker gains access to experiments, model artifacts, and training data. Patch immediately and audit existing accounts for unauthorized entries.

What is the risk?

CRITICAL. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable by any attacker with network reach. MLflow is frequently deployed with minimal network controls in data science environments, often on internal ports accessible to broad corporate segments or even exposed to the internet. The combination of zero-barrier exploitation and access to high-value ML assets (models, training data, experiment logs) elevates real-world risk beyond the already-critical score.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
1.2%
chance of exploitation in 30 days
Higher than 63% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. IMMEDIATE

    Restrict MLflow network access to localhost or VPN-only via firewall rules — block public/internal exposure if patching is delayed.

  2. PATCH

    Upgrade MLflow to the version that addresses this vulnerability (check huntr advisory for specific fixed version; review MLflow changelog post-2023-11-16).

  3. AUDIT

    Query MLflow user database for accounts created after the vulnerability disclosure date; remove unrecognized accounts and rotate all API tokens.

  4. DETECT

    Enable MLflow access logs and alert on account creation events; correlate with known user provisioning workflows.

  5. HARDEN

    Deploy MLflow behind a reverse proxy with authentication (OAuth2/OIDC) as a defense-in-depth layer regardless of built-in auth status.

  6. VERIFY

    Confirm no unauthorized model versions were registered or existing models tampered with post-incident.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Supply Chain Framework Training Data Model AML.T0010.001 AML.T0012 AML.T0021 AML.T0025 AML.T0035 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system
ISO 42001
A.6.2.6 - AI system access control A.9.1 - AI system logging and monitoring
NIST AI RMF
GOVERN-6.1 - Policies for AI risk and security MANAGE-2.2 - Mechanisms to sustain treatment of AI risks

Frequently Asked Questions

What is CVE-2023-6014?

Any unauthenticated attacker with network access to your MLflow instance can create accounts — including admin-level accounts — without any credentials. If MLflow is exposed beyond localhost (internal network, VPN, or internet), treat this as a full platform compromise: attacker gains access to experiments, model artifacts, and training data. Patch immediately and audit existing accounts for unauthorized entries.

Is CVE-2023-6014 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6014, increasing the risk of exploitation.

How to fix CVE-2023-6014?

1. IMMEDIATE: Restrict MLflow network access to localhost or VPN-only via firewall rules — block public/internal exposure if patching is delayed. 2. PATCH: Upgrade MLflow to the version that addresses this vulnerability (check huntr advisory for specific fixed version; review MLflow changelog post-2023-11-16). 3. AUDIT: Query MLflow user database for accounts created after the vulnerability disclosure date; remove unrecognized accounts and rotate all API tokens. 4. DETECT: Enable MLflow access logs and alert on account creation events; correlate with known user provisioning workflows. 5. HARDEN: Deploy MLflow behind a reverse proxy with authentication (OAuth2/OIDC) as a defense-in-depth layer regardless of built-in auth status. 6. VERIFY: Confirm no unauthorized model versions were registered or existing models tampered with post-incident.

What systems are affected by CVE-2023-6014?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, training pipelines, experiment tracking, model serving.

What is the CVSS score for CVE-2023-6014?

CVE-2023-6014 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.16%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel registrytraining pipelinesexperiment trackingmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0012 Valid Accounts
AML.T0021 Establish Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15, Art.9
ISO 42001: A.6.2.6, A.9.1
NIST AI RMF: GOVERN-6.1, MANAGE-2.2

What are the technical details?

Original Advisory

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.

Exploitation Scenario

Adversary scans for MLflow instances on default port 5000 or common enterprise ports. Using the huntr PoC, sends a crafted HTTP GET request with credentials embedded in query parameters to the MLflow account creation endpoint, bypassing authentication checks. Within seconds, the attacker has a valid MLflow account. They proceed to enumerate all registered models via the Model Registry API, download production model binaries for IP theft or offline analysis, inspect experiment runs to reconstruct proprietary training pipelines and datasets, and register a backdoored model version pointing to a malicious artifact — which downstream CI/CD pipelines may automatically promote to staging or production.

Weaknesses (CWE)

CWE-598 Use of HTTP Request With Sensitive Query String

CWE-598 — Use of HTTP Request With Sensitive Query String: The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.

  • [Implementation] When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
November 16, 2023
Last Modified
November 21, 2024
First Seen
November 16, 2023

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed