CVE-2023-6709 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

MLflow SSTI (CVSS 8.8) lets any authenticated user achieve RCE on the MLflow tracking server — the hub of your ML pipeline with access to model artifacts, training data, and likely cloud credentials. Patch to 2.9.2 immediately. If patching is delayed, isolate MLflow behind VPN or internal network and treat the server's cloud IAM credentials as compromised.

Risk Assessment

HIGH. The attack profile is as dangerous as it gets short of unauthenticated: network-accessible, low complexity, no user interaction, low privilege required. MLflow servers routinely hold IAM roles/service account credentials for cloud storage (S3, GCS, Azure Blob), access to GPU clusters, and connectivity to model registries — dramatically amplifying blast radius beyond the MLflow host itself. Multi-tenant deployments are especially critical: a single compromised user account can pivot to all experiments, runs, and registered models.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 49% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Patch now: upgrade to MLflow >= 2.9.2 (patch commit 432b8cc).
Restrict MLflow network exposure to VPN/internal networks — no public internet access.
Audit and scope-down MLflow server IAM permissions to least-privilege (read-only access to storage where feasible).
Rotate cloud credentials (AWS/GCP/Azure service accounts) accessible by the MLflow server as a precaution.
Review MLflow access logs for anomalous template-like strings ({{ }}, {% %}, ${ }) in experiment names, run tags, or artifact paths.
Implement SIEM alerting for unexpected outbound connections from the MLflow host.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Framework Training Data AML.T0010.001 - AI Software AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place and applied to sustain AI risk management

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-6709?

MLflow SSTI (CVSS 8.8) lets any authenticated user achieve RCE on the MLflow tracking server — the hub of your ML pipeline with access to model artifacts, training data, and likely cloud credentials. Patch to 2.9.2 immediately. If patching is delayed, isolate MLflow behind VPN or internal network and treat the server's cloud IAM credentials as compromised.

Is CVE-2023-6709 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6709, increasing the risk of exploitation.

How to fix CVE-2023-6709?

1. Patch now: upgrade to MLflow >= 2.9.2 (patch commit 432b8cc). 2. Restrict MLflow network exposure to VPN/internal networks — no public internet access. 3. Audit and scope-down MLflow server IAM permissions to least-privilege (read-only access to storage where feasible). 4. Rotate cloud credentials (AWS/GCP/Azure service accounts) accessible by the MLflow server as a precaution. 5. Review MLflow access logs for anomalous template-like strings ({{ }}, {% %}, ${ }) in experiment names, run tags, or artifact paths. 6. Implement SIEM alerting for unexpected outbound connections from the MLflow host.

What systems are affected by CVE-2023-6709?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, experiment tracking, model registry, training pipelines, model serving.

What is the CVSS score for CVE-2023-6709?

CVE-2023-6709 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.26%.

Technical Details

NVD Description

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

Exploitation Scenario

An attacker with a low-privilege MLflow account — obtained via phishing a data scientist, compromising a CI/CD service account, or credential stuffing — crafts a SSTI payload and injects it into a field processed by MLflow's template engine (e.g., an experiment name or run tag). Upon server-side rendering, the payload executes OS commands as the MLflow process. The attacker queries the AWS Instance Metadata Service (IMDSv1) to harvest IAM role credentials, then accesses S3 buckets containing training datasets and model weights. As a final step, the attacker registers a trojaned model version in the MLflow Model Registry, poisoning downstream production deployments that pull 'latest' automatically.