AI Threat Alert

CVE-2024-1560: MLflow: path traversal allows arbitrary directory deletion

HIGH PoC AVAILABLE CISA: TRACK*
Published April 16, 2024
CISO Take

Any authenticated user—even low-privilege—on an exposed MLflow server can delete arbitrary directories on the filesystem, including production model artifacts, training checkpoints, and system paths. This bypasses the prior CVE-2023-6831 fix via double URL-decoding, meaning teams that patched once may still be vulnerable. Upgrade MLflow past 2.9.2 immediately and isolate MLflow servers behind VPN or internal-only network controls.

What is the risk?

HIGH. CVSS 8.1 reflects a dangerous combination: network-accessible, low attack complexity, and only low privileges required. MLflow servers are routinely deployed in data science environments with minimal network segmentation—often reachable by all members of an engineering org or exposed via internal tooling. The double-decoding bypass is reliable and reproducible. Impact includes permanent destruction of trained model artifacts, experiment data, and pipeline configurations. The bypass of a prior patch (CVE-2023-6831) signals active researcher attention to this attack surface and increases the likelihood of weaponized exploits.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 5d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
0.9%
chance of exploitation in 30 days
Higher than 54% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade MLflow beyond version 2.9.2 immediately—this is the definitive fix.

  2. NETWORK

    Restrict MLflow server access to trusted IPs and VPN segments; never expose the MLflow UI or API to the public internet.

  3. FILESYSTEM

    Run the MLflow process as a low-privilege OS user scoped only to the artifact root; use containers or chroot to enforce filesystem boundaries.

  4. MONITOR

    Alert on DELETE requests to /api/2.0/mlflow-artifacts/ endpoints containing encoded characters (%25, %2F, or double-encoded sequences)—these are strong indicators of traversal attempts.

  5. BACKUPS

    Implement immutable or versioned backups of all artifact storage directories so that a deletion event does not result in irreversible loss.

  6. AUDIT

    Review MLflow access logs retroactively for suspicious DELETE calls with unusual path patterns to identify potential prior exploitation.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain DoS Auth Bypass Framework Training Data AML.T0010.001 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system for high-risk AI
ISO 42001
A.6.2.6 - AI system security and resilience
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-1560?

Any authenticated user—even low-privilege—on an exposed MLflow server can delete arbitrary directories on the filesystem, including production model artifacts, training checkpoints, and system paths. This bypasses the prior CVE-2023-6831 fix via double URL-decoding, meaning teams that patched once may still be vulnerable. Upgrade MLflow past 2.9.2 immediately and isolate MLflow servers behind VPN or internal-only network controls.

Is CVE-2024-1560 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1560, increasing the risk of exploitation.

How to fix CVE-2024-1560?

1. PATCH: Upgrade MLflow beyond version 2.9.2 immediately—this is the definitive fix. 2. NETWORK: Restrict MLflow server access to trusted IPs and VPN segments; never expose the MLflow UI or API to the public internet. 3. FILESYSTEM: Run the MLflow process as a low-privilege OS user scoped only to the artifact root; use containers or chroot to enforce filesystem boundaries. 4. MONITOR: Alert on DELETE requests to /api/2.0/mlflow-artifacts/ endpoints containing encoded characters (%25, %2F, or double-encoded sequences)—these are strong indicators of traversal attempts. 5. BACKUPS: Implement immutable or versioned backups of all artifact storage directories so that a deletion event does not result in irreversible loss. 6. AUDIT: Review MLflow access logs retroactively for suspicious DELETE calls with unusual path patterns to identify potential prior exploitation.

What systems are affected by CVE-2024-1560?

This vulnerability affects the following AI/ML architecture patterns: MLflow experiment tracking servers, MLflow Model Registry, training pipelines, artifact stores, MLOps CI/CD pipelines.

What is the CVSS score for CVE-2024-1560?

CVE-2024-1560 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.86%.

What is the AI security impact?

Affected AI Architectures

MLflow experiment tracking serversMLflow Model Registrytraining pipelinesartifact storesMLOps CI/CD pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the `_delete_artifact_mlflow_artifacts` handler and `local_file_uri_to_path` function, allowing for the deletion of arbitrary directories on the server's filesystem. This vulnerability is due to an extra unquote operation in the `delete_artifacts` function of `local_artifact_repo.py`, which fails to properly sanitize user-supplied paths. The issue is present up to version 2.9.2, despite attempts to fix a similar issue in CVE-2023-6831.

Exploitation Scenario

An attacker with standard MLflow read/write access (a compromised data scientist account or a leaked service token) crafts an artifact deletion API request where the path is double-URL-encoded: %252F..%252F..%252F.. resolves to /../ after the extra unquote applied by delete_artifacts in local_artifact_repo.py. The handler decodes once, passes the path to local_file_uri_to_path which decodes again, escaping the artifact root entirely. The attacker targets the MLflow artifact delete endpoint with a traversal payload, first wiping the model registry to destroy production model artifacts ahead of a scheduled release, then targeting configuration directories to disable the ML platform—all without ever requiring elevated permissions and with no interactive steps required.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

Timeline

Published
April 16, 2024
Last Modified
February 3, 2025
First Seen
April 16, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed