CVE-2024-1483 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

MLflow 2.9.2 allows unauthenticated attackers to read any file on the server via crafted artifact_location parameters — no credentials needed, network access is enough. If MLflow is reachable from untrusted networks (including internal segments with lateral movement risk), treat this as critical. Patch immediately or isolate the service behind a VPN/firewall; assume credential exposure if exploitation cannot be ruled out.

Risk Assessment

Effective risk is CRITICAL in typical MLOps deployments despite the 7.5 CVSS score. The zero-auth requirement (PR:N, UI:N, AC:L) means any network-adjacent attacker can exfiltrate files without prior foothold. MLflow instances routinely store environment files, cloud provider credentials, database connection strings, and model configs in accessible paths. In organizations where MLflow is exposed on internal networks with flat segmentation, lateral movement significantly amplifies the blast radius.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

75.0%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 75%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

PATCH

Upgrade MLflow to the latest release immediately; the fix was applied post-2.9.2.
ISOLATE

Restrict MLflow tracking server to internal VPN-only access; block port 5000 from untrusted segments via firewall or security group rules.
AUDIT

Review server access logs for anomalous POST requests to /api/2.0/mlflow/runs/create or experiment endpoints with artifact_location or source parameters containing '../', '%2e%2e', or '#' characters.
ROTATE

If exposure cannot be ruled out, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow server filesystem.
DETECT

Add WAF rule or IDS signature matching path traversal patterns in artifact_location/source parameters in POST bodies to MLflow endpoints.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Training Data AML.T0007 - Discover AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Protection of AI system information A.9.1 - AI system vulnerability management

NIST AI RMF

GOVERN 6.1 - Policies for AI risk in the supply chain MANAGE 2.2 - Mechanisms for responding to AI risks

OWASP LLM Top 10

LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2024-1483?

MLflow 2.9.2 allows unauthenticated attackers to read any file on the server via crafted artifact_location parameters — no credentials needed, network access is enough. If MLflow is reachable from untrusted networks (including internal segments with lateral movement risk), treat this as critical. Patch immediately or isolate the service behind a VPN/firewall; assume credential exposure if exploitation cannot be ruled out.

Is CVE-2024-1483 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1483, increasing the risk of exploitation.

How to fix CVE-2024-1483?

1. PATCH: Upgrade MLflow to the latest release immediately; the fix was applied post-2.9.2. 2. ISOLATE: Restrict MLflow tracking server to internal VPN-only access; block port 5000 from untrusted segments via firewall or security group rules. 3. AUDIT: Review server access logs for anomalous POST requests to /api/2.0/mlflow/runs/create or experiment endpoints with artifact_location or source parameters containing '../', '%2e%2e', or '#' characters. 4. ROTATE: If exposure cannot be ruled out, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow server filesystem. 5. DETECT: Add WAF rule or IDS signature matching path traversal patterns in artifact_location/source parameters in POST bodies to MLflow endpoints.

What systems are affected by CVE-2024-1483?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, training pipelines, experiment tracking infrastructure, model registry, CI/CD for ML.

What is the CVSS score for CVE-2024-1483?

CVE-2024-1483 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 75.00%.

Technical Details

NVD Description

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers.

Exploitation Scenario

An adversary scanning an internal data science network finds an exposed MLflow tracking server. Using a single unauthenticated HTTP POST to the runs/create API with artifact_location set to a local URI like file:///etc/../etc/passwd#experiment or a crafted source parameter, the attacker reads /etc/passwd to enumerate users. Escalating, they target common MLflow artifact storage paths to retrieve .env files containing AWS_ACCESS_KEY_ID and database DSNs used by the training pipeline. With cloud credentials in hand, the attacker pivots to S3/GCS to exfiltrate proprietary model weights and training datasets — all without ever compromising a user account.