CVE-2023-6018 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any network-reachable MLflow instance is fully compromised — no credentials required. An attacker can silently overwrite production model artifacts, training data, or deploy backdoors into your ML pipeline. Patch immediately or isolate MLflow behind a VPN/firewall; treat any exposed instance as already compromised.

Risk Assessment

CVSS 9.8 with zero prerequisites (no auth, no interaction, low complexity) makes this trivially weaponizable by any attacker with network reach — including a compromised internal host. MLflow is commonly deployed on internal networks with permissive east-west controls, giving broad lateral movement potential. The blast radius extends beyond the MLflow server itself: poisoned artifacts cascade silently into downstream production AI systems.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

91.3%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 91%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

1 step

1) Patch MLflow to the latest release immediately — this is the only full remediation. 2) If patching is blocked, restrict network access to MLflow via firewall or VPN with strict allowlisting; treat default port 5000 as high-risk. 3) Enable MLflow's built-in authentication (--app-name basic-auth) if running post-2.4.x. 4) Audit MLflow server access logs for unexpected artifact upload requests, especially those containing path traversal patterns (../, %2F). 5) Verify integrity of all stored model artifacts via checksums or cryptographic signatures before next deployment. 6) Place MLflow behind an authenticated API gateway or reverse proxy as a defense-in-depth measure.

Classification

Code Execution Model Poisoning Supply Chain Framework Model Training Data AML.T0010.001 - AI Software AML.T0018 - Manipulate AI Model AML.T0020 - Poison Training Data AML.T0049 - Exploit Public-Facing Application AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.3 - Data integrity for AI systems A.9.4 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms for AI risk response MEASURE 2.5 - AI system security and resilience evaluation

OWASP LLM Top 10

LLM03:2025 - Training Data Poisoning

Frequently Asked Questions

What is CVE-2023-6018?

Any network-reachable MLflow instance is fully compromised — no credentials required. An attacker can silently overwrite production model artifacts, training data, or deploy backdoors into your ML pipeline. Patch immediately or isolate MLflow behind a VPN/firewall; treat any exposed instance as already compromised.

Is CVE-2023-6018 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6018, increasing the risk of exploitation.

How to fix CVE-2023-6018?

1) Patch MLflow to the latest release immediately — this is the only full remediation. 2) If patching is blocked, restrict network access to MLflow via firewall or VPN with strict allowlisting; treat default port 5000 as high-risk. 3) Enable MLflow's built-in authentication (--app-name basic-auth) if running post-2.4.x. 4) Audit MLflow server access logs for unexpected artifact upload requests, especially those containing path traversal patterns (../, %2F). 5) Verify integrity of all stored model artifacts via checksums or cryptographic signatures before next deployment. 6) Place MLflow behind an authenticated API gateway or reverse proxy as a defense-in-depth measure.

What systems are affected by CVE-2023-6018?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps platforms, model registries, experiment tracking systems.

What is the CVSS score for CVE-2023-6018?

CVE-2023-6018 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 91.27%.

Technical Details

NVD Description

An attacker can overwrite any file on the server hosting MLflow without any authentication.

Exploitation Scenario

Attacker scans for MLflow instances on port 5000 (or common alternatives) using Shodan or internal network enumeration. Finding an exposed instance, they craft an HTTP POST to the MLflow artifacts endpoint with a path traversal payload in the artifact path parameter, causing MLflow to write attacker-controlled content to an arbitrary server location — for example, overwriting a registered production model binary (e.g., model.pkl) with a malicious serialized object. On next model load by the serving infrastructure, the poisoned model executes attacker code in the context of the inference server. Alternatively, attacker overwrites a Python script in the MLflow project directory; it executes during the next scheduled training run, achieving persistent foothold in the ML pipeline.