CVE-2023-6831: MLflow path traversal

CISO Take

MLflow before 2.9.2 allows any authenticated low-privileged user to write or delete arbitrary files on the server via path traversal (CVSS 8.1). Upgrade to 2.9.2 immediately—every MLflow experiment tracking server with multi-user or external access is exposed. In AI/ML pipelines, this translates directly to model artifact poisoning risk without triggering standard deployment alerts.

What is the risk?

High risk. Network-accessible, low complexity, requires only low-level credentials, and no user interaction—making this trivially weaponizable in multi-tenant or shared ML environments. AI/ML teams routinely deploy MLflow with permissive access controls to facilitate collaboration, significantly broadening the attack surface. The integrity and availability impact on model artifacts makes this particularly dangerous in production ML pipelines where trust in model provenance is assumed.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

3.3%

chance of exploitation in 30 days

Higher than 87% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I High

A High

What should I do?

6 steps

Patch immediately: upgrade MLflow to 2.9.2 or later.
Restrict network access: place MLflow behind VPN or restrict to internal networks if not already done.
Audit access: review and enforce least-privilege on MLflow API credentials.
Verify artifact integrity: inspect registered model artifacts for unexpected modifications, especially in production registries.
Enable audit logging and alert on path traversal patterns ('../', '%2e%2e', '%252e') in MLflow API requests.
If patching is delayed, deploy WAF rules blocking traversal sequences on MLflow endpoints as a temporary control.

How is it classified?

Supply Chain Code Execution Framework Training Data AML.T0010.001 - AI Software AML.T0018.000 - Poison AI Model AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - AI System Risk Treatment

NIST AI RMF

MANAGE 2.2 - Treatment of AI Risks

OWASP LLM Top 10

LLM03 - Training Data Poisoning

Frequently Asked Questions

What is CVE-2023-6831?

MLflow before 2.9.2 allows any authenticated low-privileged user to write or delete arbitrary files on the server via path traversal (CVSS 8.1). Upgrade to 2.9.2 immediately—every MLflow experiment tracking server with multi-user or external access is exposed. In AI/ML pipelines, this translates directly to model artifact poisoning risk without triggering standard deployment alerts.

Is CVE-2023-6831 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6831, increasing the risk of exploitation.

How to fix CVE-2023-6831?

1. Patch immediately: upgrade MLflow to 2.9.2 or later. 2. Restrict network access: place MLflow behind VPN or restrict to internal networks if not already done. 3. Audit access: review and enforce least-privilege on MLflow API credentials. 4. Verify artifact integrity: inspect registered model artifacts for unexpected modifications, especially in production registries. 5. Enable audit logging and alert on path traversal patterns ('../', '%2e%2e', '%252e') in MLflow API requests. 6. If patching is delayed, deploy WAF rules blocking traversal sequences on MLflow endpoints as a temporary control.

What systems are affected by CVE-2023-6831?

This vulnerability affects the following AI/ML architecture patterns: ML experiment tracking, model registries, training pipelines, model serving.

What is the CVSS score for CVE-2023-6831?

CVE-2023-6831 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 3.29%.

What is the AI security impact?

Affected AI Architectures

ML experiment trackingmodel registriestraining pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0018.000 Poison AI Model

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.1.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

Exploitation Scenario

An adversary with compromised data scientist credentials or a malicious insider crafts an artifact upload request containing path traversal sequences (e.g., '..\..\etc\cron.d\backdoor' or '..\..\app\models\production_model.pkl') to overwrite a registered production model artifact. In a CI/CD-integrated MLflow deployment, the poisoned model passes standard validation checks because its metadata and registry entry remain legitimate—only the underlying file is replaced. The attack completes before the next scheduled deployment cycle, silently deploying a backdoored model to inference infrastructure. Alternatively, the attacker deletes training checkpoints to cause denial of service to active training runs.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-29 Path Traversal: '\..\filename'

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.