CVE-2023-6018: MLflow: unauth file overwrite enables model poisoning

CRITICAL PoC AVAILABLE NUCLEI TEMPLATE

Published November 16, 2023

CISO Take

Any network-reachable MLflow instance is fully compromised — no credentials required. An attacker can silently overwrite production model artifacts, training data, or deploy backdoors into your ML pipeline. Patch immediately or isolate MLflow behind a VPN/firewall; treat any exposed instance as already compromised.

What is the risk?

CVSS 9.8 with zero prerequisites (no auth, no interaction, low complexity) makes this trivially weaponizable by any attacker with network reach — including a compromised internal host. MLflow is commonly deployed on internal networks with permissive east-west controls, giving broad lateral movement potential. The blast radius extends beyond the MLflow server itself: poisoned artifacts cascade silently into downstream production AI systems.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

47.9%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 48%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

1 step

1) Patch MLflow to the latest release immediately — this is the only full remediation. 2) If patching is blocked, restrict network access to MLflow via firewall or VPN with strict allowlisting; treat default port 5000 as high-risk. 3) Enable MLflow's built-in authentication (--app-name basic-auth) if running post-2.4.x. 4) Audit MLflow server access logs for unexpected artifact upload requests, especially those containing path traversal patterns (../, %2F). 5) Verify integrity of all stored model artifacts via checksums or cryptographic signatures before next deployment. 6) Place MLflow behind an authenticated API gateway or reverse proxy as a defense-in-depth measure.

How is it classified?

Code Execution Model Poisoning Supply Chain Framework Model Training Data AML.T0010.001 - AI Software AML.T0018 - Manipulate AI Model AML.T0020 - Poison Training Data AML.T0049 - Exploit Public-Facing Application AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.3 - Data integrity for AI systems A.9.4 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms for AI risk response MEASURE 2.5 - AI system security and resilience evaluation

OWASP LLM Top 10

LLM03:2025 - Training Data Poisoning

Frequently Asked Questions

What is CVE-2023-6018?

Is CVE-2023-6018 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6018, increasing the risk of exploitation.

How to fix CVE-2023-6018?

1) Patch MLflow to the latest release immediately — this is the only full remediation. 2) If patching is blocked, restrict network access to MLflow via firewall or VPN with strict allowlisting; treat default port 5000 as high-risk. 3) Enable MLflow's built-in authentication (--app-name basic-auth) if running post-2.4.x. 4) Audit MLflow server access logs for unexpected artifact upload requests, especially those containing path traversal patterns (../, %2F). 5) Verify integrity of all stored model artifacts via checksums or cryptographic signatures before next deployment. 6) Place MLflow behind an authenticated API gateway or reverse proxy as a defense-in-depth measure.

What systems are affected by CVE-2023-6018?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps platforms, model registries, experiment tracking systems.

What is the CVSS score for CVE-2023-6018?

CVE-2023-6018 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 47.87%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps platformsmodel registriesexperiment tracking systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0018 Manipulate AI Model

AML.T0020 Poison Training Data

AML.T0049 Exploit Public-Facing Application

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.3, A.9.4

NIST AI RMF: MANAGE 2.2, MEASURE 2.5

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

An attacker can overwrite any file on the server hosting MLflow without any authentication.

Exploitation Scenario

Attacker scans for MLflow instances on port 5000 (or common alternatives) using Shodan or internal network enumeration. Finding an exposed instance, they craft an HTTP POST to the MLflow artifacts endpoint with a path traversal payload in the artifact path parameter, causing MLflow to write attacker-controlled content to an arbitrary server location — for example, overwriting a registered production model binary (e.g., model.pkl) with a malicious serialized object. On next model load by the serving infrastructure, the poisoned model executes attacker code in the context of the inference server. Alternatively, attacker overwrites a Python script in the MLflow project directory; it executes during the next scheduled training run, achieving persistent foothold in the ML pipeline.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

[Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
[Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.