CVE-2023-6831 — HIGH (CVSS 8.1) AI Security Vulnerability

CISO Take

MLflow before 2.9.2 allows any authenticated low-privileged user to write or delete arbitrary files on the server via path traversal (CVSS 8.1). Upgrade to 2.9.2 immediately—every MLflow experiment tracking server with multi-user or external access is exposed. In AI/ML pipelines, this translates directly to model artifact poisoning risk without triggering standard deployment alerts.

Risk Assessment

High risk. Network-accessible, low complexity, requires only low-level credentials, and no user interaction—making this trivially weaponizable in multi-tenant or shared ML environments. AI/ML teams routinely deploy MLflow with permissive access controls to facilitate collaboration, significantly broadening the attack surface. The integrity and availability impact on model artifacts makes this particularly dangerous in production ML pipelines where trust in model provenance is assumed.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

74.0%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 74%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I High

A High

Recommended Action

6 steps

Patch immediately: upgrade MLflow to 2.9.2 or later.
Restrict network access: place MLflow behind VPN or restrict to internal networks if not already done.
Audit access: review and enforce least-privilege on MLflow API credentials.
Verify artifact integrity: inspect registered model artifacts for unexpected modifications, especially in production registries.
Enable audit logging and alert on path traversal patterns ('../', '%2e%2e', '%252e') in MLflow API requests.
If patching is delayed, deploy WAF rules blocking traversal sequences on MLflow endpoints as a temporary control.

Classification

Supply Chain Code Execution Framework Training Data AML.T0010.001 - AI Software AML.T0018.000 - Poison AI Model AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - AI System Risk Treatment

NIST AI RMF

MANAGE 2.2 - Treatment of AI Risks

OWASP LLM Top 10

LLM03 - Training Data Poisoning

Frequently Asked Questions

What is CVE-2023-6831?

MLflow before 2.9.2 allows any authenticated low-privileged user to write or delete arbitrary files on the server via path traversal (CVSS 8.1). Upgrade to 2.9.2 immediately—every MLflow experiment tracking server with multi-user or external access is exposed. In AI/ML pipelines, this translates directly to model artifact poisoning risk without triggering standard deployment alerts.

Is CVE-2023-6831 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6831, increasing the risk of exploitation.

How to fix CVE-2023-6831?

1. Patch immediately: upgrade MLflow to 2.9.2 or later. 2. Restrict network access: place MLflow behind VPN or restrict to internal networks if not already done. 3. Audit access: review and enforce least-privilege on MLflow API credentials. 4. Verify artifact integrity: inspect registered model artifacts for unexpected modifications, especially in production registries. 5. Enable audit logging and alert on path traversal patterns ('../', '%2e%2e', '%252e') in MLflow API requests. 6. If patching is delayed, deploy WAF rules blocking traversal sequences on MLflow endpoints as a temporary control.

What systems are affected by CVE-2023-6831?

This vulnerability affects the following AI/ML architecture patterns: ML experiment tracking, model registries, training pipelines, model serving.

What is the CVSS score for CVE-2023-6831?

CVE-2023-6831 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 73.98%.

Technical Details

NVD Description

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

Exploitation Scenario

An adversary with compromised data scientist credentials or a malicious insider crafts an artifact upload request containing path traversal sequences (e.g., '..\..\etc\cron.d\backdoor' or '..\..\app\models\production_model.pkl') to overwrite a registered production model artifact. In a CI/CD-integrated MLflow deployment, the poisoned model passes standard validation checks because its metadata and registry entry remain legitimate—only the underlying file is replaced. The attack completes before the next scheduled deployment cycle, silently deploying a backdoored model to inference infrastructure. Alternatively, the attacker deletes training checkpoints to cause denial of service to active training runs.