CVE-2023-6015: MLflow unauthenticated arbitrary file

CISO Take

Any internet-exposed MLflow instance is at critical risk. An unauthenticated attacker can write arbitrary files to the server without credentials, potentially overwriting model artifacts, injecting malicious payloads, or poisoning training pipelines. Restrict MLflow network access to internal networks immediately and apply available patches — this should never be internet-facing.

What is the risk?

Effectively critical in real-world deployments despite CVSS 7.5. Zero-auth requirement combined with network accessibility and trivial exploitation creates maximum blast radius in ML environments, which historically lack network segmentation. MLflow instances are commonly deployed with default configurations and direct artifact store access, making lateral movement into the broader ML pipeline straightforward post-exploitation.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

4.4%

chance of exploitation in 30 days

Higher than 90% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

7 steps

Apply MLflow patch (versions released after 2023-11-16 address this).
If unpatched, immediately firewall MLflow port (default 5000/5001) to trusted CIDR ranges only.
Deploy MLflow behind an authenticating reverse proxy (OAuth2/OIDC or mTLS).
Audit artifact store for unexpected files — compare checksums against known-good baseline.
Enable file integrity monitoring on MLflow artifact directories and alert on unexpected writes.
If previously internet-exposed, treat as compromised: rotate all credentials, audit model artifacts for tampering, re-train from verified data snapshots.
Scan artifact store for deserialization risks (.pkl, .joblib files) that may have been replaced.

How is it classified?

Supply Chain Code Execution Model Poisoning Framework Model Training Data AML.T0010.001 - AI Software AML.T0018 - Manipulate AI Model AML.T0018.000 - Poison AI Model AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN-1.7 - Processes for AI risk identification and management MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM04:2025 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2023-6015?

Any internet-exposed MLflow instance is at critical risk. An unauthenticated attacker can write arbitrary files to the server without credentials, potentially overwriting model artifacts, injecting malicious payloads, or poisoning training pipelines. Restrict MLflow network access to internal networks immediately and apply available patches — this should never be internet-facing.

Is CVE-2023-6015 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6015, increasing the risk of exploitation.

How to fix CVE-2023-6015?

1. Apply MLflow patch (versions released after 2023-11-16 address this). 2. If unpatched, immediately firewall MLflow port (default 5000/5001) to trusted CIDR ranges only. 3. Deploy MLflow behind an authenticating reverse proxy (OAuth2/OIDC or mTLS). 4. Audit artifact store for unexpected files — compare checksums against known-good baseline. 5. Enable file integrity monitoring on MLflow artifact directories and alert on unexpected writes. 6. If previously internet-exposed, treat as compromised: rotate all credentials, audit model artifacts for tampering, re-train from verified data snapshots. 7. Scan artifact store for deserialization risks (.pkl, .joblib files) that may have been replaced.

What systems are affected by CVE-2023-6015?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, training pipelines, experiment tracking systems, model serving, ML CI/CD pipelines.

What is the CVSS score for CVE-2023-6015?

CVE-2023-6015 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 4.41%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel registrytraining pipelinesexperiment tracking systemsmodel servingML CI/CD pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0018 Manipulate AI Model

AML.T0018.000 Poison AI Model

AML.T0020 Poison Training Data

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 6.1.2, 8.4

NIST AI RMF: GOVERN-1.7, MANAGE-2.2

OWASP LLM Top 10: LLM03:2025, LLM04:2025

What are the technical details?

Original Advisory

MLflow allowed arbitrary files to be PUT onto the server.

Exploitation Scenario

Attacker discovers an exposed MLflow instance via Shodan or a public IP scan on port 5000. With a single unauthenticated HTTP PUT request using a path traversal payload in the artifact URI (e.g., ../../app/model.py), they write a malicious Python file to the server filesystem. When the next scheduled training job or CI/CD pipeline loads a 'model' from the artifact store, the malicious file executes with the ML worker's privileges — granting persistent foothold in the ML infrastructure. Alternatively, attacker replaces a legitimate serialized model (.pkl) with a maliciously pickled object that executes arbitrary code upon model.load() calls in any downstream inference service.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.