AI Threat Alert

CVE-2023-6709: MLflow: SSTI enables RCE in ML experiment tracking

HIGH PoC AVAILABLE CISA: ATTEND
Published December 12, 2023
CISO Take

MLflow SSTI (CVSS 8.8) lets any authenticated user achieve RCE on the MLflow tracking server — the hub of your ML pipeline with access to model artifacts, training data, and likely cloud credentials. Patch to 2.9.2 immediately. If patching is delayed, isolate MLflow behind VPN or internal network and treat the server's cloud IAM credentials as compromised.

What is the risk?

HIGH. The attack profile is as dangerous as it gets short of unauthenticated: network-accessible, low complexity, no user interaction, low privilege required. MLflow servers routinely hold IAM roles/service account credentials for cloud storage (S3, GCS, Azure Blob), access to GPU clusters, and connectivity to model registries — dramatically amplifying blast radius beyond the MLflow host itself. Multi-tenant deployments are especially critical: a single compromised user account can pivot to all experiments, runs, and registered models.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.9%
chance of exploitation in 30 days
Higher than 56% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch now: upgrade to MLflow >= 2.9.2 (patch commit 432b8cc).

  2. Restrict MLflow network exposure to VPN/internal networks — no public internet access.

  3. Audit and scope-down MLflow server IAM permissions to least-privilege (read-only access to storage where feasible).

  4. Rotate cloud credentials (AWS/GCP/Azure service accounts) accessible by the MLflow server as a precaution.

  5. Review MLflow access logs for anomalous template-like strings ({{ }}, {% %}, ${ }) in experiment names, run tags, or artifact paths.

  6. Implement SIEM alerting for unexpected outbound connections from the MLflow host.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Data Extraction Framework Training Data AML.T0010.001 AML.T0035 AML.T0049 AML.T0050 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system security
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place and applied to sustain AI risk management
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-6709?

MLflow SSTI (CVSS 8.8) lets any authenticated user achieve RCE on the MLflow tracking server — the hub of your ML pipeline with access to model artifacts, training data, and likely cloud credentials. Patch to 2.9.2 immediately. If patching is delayed, isolate MLflow behind VPN or internal network and treat the server's cloud IAM credentials as compromised.

Is CVE-2023-6709 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6709, increasing the risk of exploitation.

How to fix CVE-2023-6709?

1. Patch now: upgrade to MLflow >= 2.9.2 (patch commit 432b8cc). 2. Restrict MLflow network exposure to VPN/internal networks — no public internet access. 3. Audit and scope-down MLflow server IAM permissions to least-privilege (read-only access to storage where feasible). 4. Rotate cloud credentials (AWS/GCP/Azure service accounts) accessible by the MLflow server as a precaution. 5. Review MLflow access logs for anomalous template-like strings ({{ }}, {% %}, ${ }) in experiment names, run tags, or artifact paths. 6. Implement SIEM alerting for unexpected outbound connections from the MLflow host.

What systems are affected by CVE-2023-6709?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, experiment tracking, model registry, training pipelines, model serving.

What is the CVSS score for CVE-2023-6709?

CVE-2023-6709 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.93%.

What is the AI security impact?

Affected AI Architectures

MLOps pipelinesexperiment trackingmodel registrytraining pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

Exploitation Scenario

An attacker with a low-privilege MLflow account — obtained via phishing a data scientist, compromising a CI/CD service account, or credential stuffing — crafts a SSTI payload and injects it into a field processed by MLflow's template engine (e.g., an experiment name or run tag). Upon server-side rendering, the payload executes OS commands as the MLflow process. The attacker queries the AWS Instance Metadata Service (IMDSv1) to harvest IAM role credentials, then accesses S3 buckets containing training datasets and model weights. As a final step, the attacker registers a trojaned model version in the MLflow Model Registry, poisoning downstream production deployments that pull 'latest' automatically.

Weaknesses (CWE)

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine: The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

  • [Architecture and Design] Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
  • [Implementation] Use the template engine's sandbox or restricted mode, if available.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
December 12, 2023
Last Modified
November 21, 2024
First Seen
December 12, 2023

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed