CVE-2024-1594: MLflow: path traversal via URI fragment reads arbitrary files

HIGH PoC AVAILABLE CISA: TRACK*

Published April 16, 2024

CISO Take

Any internet-exposed MLflow instance is fully compromised by an unauthenticated attacker who can read arbitrary server files including credentials, model weights, and training data. Patch immediately or take MLflow off the public internet behind a VPN/auth proxy. This requires zero privileges and zero user interaction — treat it as critical in your environment if MLflow is reachable from untrusted networks.

What is the risk?

Effective risk is CRITICAL in any organization running MLflow with public or semi-public exposure. The CVSS 7.5 score undersells operational impact: no authentication, no user interaction, and network-accessible attack vector means mass exploitation is trivially scriptable. MLflow is commonly deployed without strong perimeter controls in data science environments, making this a high-probability, high-impact combination. EPSS data unavailable but exploitability is near-trivial given proof-of-concept available on huntr.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 49% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

PATCH

Upgrade MLflow to the patched version referenced in the huntr advisory (check official MLflow GitHub releases for the fix targeting CVE-2024-1594).
ISOLATE IMMEDIATELY

If patching is not immediate, restrict MLflow to internal networks only — bind to localhost or place behind VPN/SSO proxy. No MLflow UI or tracking server should be publicly accessible without authentication.
AUDIT EXPOSURE

Run netstat -tlnp | grep mlflow or equivalent on all servers; identify any 0.0.0.0 bindings on ports 5000/5001.
ROTATE CREDENTIALS

Assume any server running an exposed MLflow instance has had its filesystem read. Rotate cloud credentials, API tokens, and database passwords on those hosts.
DETECT

Look for anomalous POST /api/2.0/mlflow/experiments/create requests with artifact_location values containing #, .., or file URI schemes in MLflow access logs.
COMPENSATING CONTROL

Apply WAF rules to reject artifact_location parameters containing fragment identifiers or directory traversal sequences.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Framework Training Data AML.T0007 - Discover AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.1 - Information security in AI systems A.9.4 - AI data security

NIST AI RMF

GV-1.7 - Processes for AI risk management are reviewed MS-2.5 - Practices and controls for AI risk management are in place

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Insecure Design

Frequently Asked Questions

What is CVE-2024-1594?

Is CVE-2024-1594 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1594, increasing the risk of exploitation.

How to fix CVE-2024-1594?

1. PATCH: Upgrade MLflow to the patched version referenced in the huntr advisory (check official MLflow GitHub releases for the fix targeting CVE-2024-1594). 2. ISOLATE IMMEDIATELY: If patching is not immediate, restrict MLflow to internal networks only — bind to localhost or place behind VPN/SSO proxy. No MLflow UI or tracking server should be publicly accessible without authentication. 3. AUDIT EXPOSURE: Run `netstat -tlnp | grep mlflow` or equivalent on all servers; identify any 0.0.0.0 bindings on ports 5000/5001. 4. ROTATE CREDENTIALS: Assume any server running an exposed MLflow instance has had its filesystem read. Rotate cloud credentials, API tokens, and database passwords on those hosts. 5. DETECT: Look for anomalous `POST /api/2.0/mlflow/experiments/create` requests with `artifact_location` values containing `#`, `..`, or file URI schemes in MLflow access logs. 6. COMPENSATING CONTROL: Apply WAF rules to reject `artifact_location` parameters containing fragment identifiers or directory traversal sequences.

What systems are affected by CVE-2024-1594?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, training pipelines, model registry, experiment tracking infrastructure, CI/CD pipelines for ML.

What is the CVSS score for CVE-2024-1594?

CVE-2024-1594 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.71%.

What is the AI security impact?

Affected AI Architectures

MLOps platformstraining pipelinesmodel registryexperiment tracking infrastructureCI/CD pipelines for ML

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.1, A.9.4

NIST AI RMF: GV-1.7, MS-2.5

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect.

Exploitation Scenario

An adversary scanning for exposed MLflow tracking servers (common on port 5000) identifies a data science team's unprotected instance. They send a single unauthenticated POST to `/api/2.0/mlflow/experiments/create` with `artifact_location` set to `file:///home/mlflow/.aws/credentials#`. MLflow processes the URI, uses the fragment to bypass previous path traversal mitigations, and the attacker retrieves AWS access keys. With these keys, the adversary pivots to S3 buckets containing proprietary training datasets and model weights, achieving full AI intellectual property theft without ever needing to compromise the training pipeline itself. The entire attack chain takes under 5 minutes and leaves minimal forensic traces beyond HTTP access logs.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.