CVE-2023-6909: MLflow path traversal exposes

CISO Take

MLflow servers prior to 2.9.2 allow unauthenticated remote attackers to read arbitrary files via path traversal—no credentials needed. In MLOps environments this directly risks exposure of model artifacts, training data, API keys, and credentials stored on the MLflow host. Upgrade to 2.9.2+ immediately and restrict MLflow network exposure to trusted networks only.

What is the risk?

HIGH. CVSS vector AV:N/AC:L/PR:N/UI:N makes this trivially exploitable by any attacker with network access. MLflow instances are frequently deployed with internet or broad internal exposure for team collaboration. The confidentiality impact is severe: MLflow servers routinely hold experiment configs, model weights, API keys in .env files, cloud credentials, and data paths. No active KEV listing, but the zero-barrier exploitation and sensitivity of MLflow server contents make this a priority patch for any MLOps team.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

89.7%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

✓ VulnCheck KEV (exploitation reported — broader/earlier than CISA) — Apr 2026

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 90%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

PATCH

Upgrade MLflow to 2.9.2 or later immediately.
NETWORK CONTROLS

Restrict MLflow server access to trusted VPN/internal networks; remove any public internet exposure.
LEAST PRIVILEGE

Run MLflow with a dedicated service account with minimal filesystem permissions—limit readable directories to experiment artifacts only.
DETECTION

Search web/application logs for requests containing '../', '%2e%2e', or '..\\' patterns targeting MLflow endpoints.
AUDIT

Review MLflow server filesystem for sensitive files (credentials, SSH keys) and relocate them outside the accessible path.

How is it classified?

Data Extraction Framework AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.1 - AI system operational and monitoring processes

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain risk treatment

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-6909?

MLflow servers prior to 2.9.2 allow unauthenticated remote attackers to read arbitrary files via path traversal—no credentials needed. In MLOps environments this directly risks exposure of model artifacts, training data, API keys, and credentials stored on the MLflow host. Upgrade to 2.9.2+ immediately and restrict MLflow network exposure to trusted networks only.

Is CVE-2023-6909 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6909, increasing the risk of exploitation.

How to fix CVE-2023-6909?

1. PATCH: Upgrade MLflow to 2.9.2 or later immediately. 2. NETWORK CONTROLS: Restrict MLflow server access to trusted VPN/internal networks; remove any public internet exposure. 3. LEAST PRIVILEGE: Run MLflow with a dedicated service account with minimal filesystem permissions—limit readable directories to experiment artifacts only. 4. DETECTION: Search web/application logs for requests containing '../', '%2e%2e', or '..\\' patterns targeting MLflow endpoints. 5. AUDIT: Review MLflow server filesystem for sensitive files (credentials, SSH keys) and relocate them outside the accessible path.

What systems are affected by CVE-2023-6909?

This vulnerability affects the following AI/ML architecture patterns: ML experiment tracking, model registry, training pipelines, MLOps infrastructure, CI/CD for ML.

What is the CVSS score for CVE-2023-6909?

CVE-2023-6909 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 89.72%.

What is the AI security impact?

Affected AI Architectures

ML experiment trackingmodel registrytraining pipelinesMLOps infrastructureCI/CD for ML

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.8.1

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

Exploitation Scenario

An attacker scans for exposed MLflow instances (default port 5000) via Shodan or similar. With no authentication required, they craft a GET request with a path traversal payload (e.g., /get-artifact?path=../../../../etc/passwd or ~/.aws/credentials). In a typical MLOps pipeline, MLflow runs with access to training data storage, model registries, and CI/CD secrets. The attacker iterates through common credential paths to extract cloud provider keys, enabling lateral movement to S3/GCS buckets containing training data or production model artifacts—potentially poisoning future model versions.

Weaknesses (CWE)

CWE-29 Path Traversal: '\..\filename'

CWE-29 — Path Traversal: '\..\filename': The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Implementation] Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Source: MITRE CWE corpus.