CVE-2024-27132 — CRITICAL (CVSS 9.6) AI Security Vulnerability

CISO Take

MLflow recipe execution in Jupyter Notebook can trigger client-side RCE via unsanitized template variables — no credentials required, just user interaction. Any team running shared or third-party MLflow recipes is at risk of full environment compromise, including model weights, training data, and cloud credentials. Patch immediately or prohibit untrusted recipe execution until the fix is deployed.

Risk Assessment

Critical risk for ML operations teams. CVSS 9.6 reflects network-reachable vector, low complexity, and high impact across confidentiality, integrity, and availability. Jupyter Notebooks typically run with the user's full OS permissions, meaning XSS-to-RCE translates to unrestricted code execution on the ML engineer's workstation or server. The no-privileges-required factor means any recipe distributed via GitHub, internal wikis, or social engineering is a viable attack vector. MLflow's widespread adoption in enterprise ML pipelines significantly expands the blast radius.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

9.6 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 47% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Changed

C High

I High

A High

Recommended Action

6 steps

Patch: Upgrade MLflow to the version that includes PR #10873.
Audit: Inventory all MLflow instances and identify those using the Recipes feature.
Restrict: Block execution of untrusted or unreviewed recipes; enforce recipe code review gates before team-wide adoption.
Isolate: Run Jupyter and MLflow environments in containers with minimal OS permissions and no direct access to production credentials — use IAM roles/workload identity instead of stored keys.
Detect: Monitor for unexpected outbound network connections or anomalous file access originating from Jupyter processes.
Rotate credentials: For any environment where untrusted recipes may have been executed, rotate cloud provider credentials, API keys, and service account tokens immediately.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Framework Training Data AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - Third-party and external AI supplier relationships A.6.2 - AI system design and development

NIST AI RMF

GOVERN-6.2 - AI supply chain and third-party risk management

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2024-27132?

MLflow recipe execution in Jupyter Notebook can trigger client-side RCE via unsanitized template variables — no credentials required, just user interaction. Any team running shared or third-party MLflow recipes is at risk of full environment compromise, including model weights, training data, and cloud credentials. Patch immediately or prohibit untrusted recipe execution until the fix is deployed.

Is CVE-2024-27132 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-27132, increasing the risk of exploitation.

How to fix CVE-2024-27132?

1. Patch: Upgrade MLflow to the version that includes PR #10873. 2. Audit: Inventory all MLflow instances and identify those using the Recipes feature. 3. Restrict: Block execution of untrusted or unreviewed recipes; enforce recipe code review gates before team-wide adoption. 4. Isolate: Run Jupyter and MLflow environments in containers with minimal OS permissions and no direct access to production credentials — use IAM roles/workload identity instead of stored keys. 5. Detect: Monitor for unexpected outbound network connections or anomalous file access originating from Jupyter processes. 6. Rotate credentials: For any environment where untrusted recipes may have been executed, rotate cloud provider credentials, API keys, and service account tokens immediately.

What systems are affected by CVE-2024-27132?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML experiment tracking, MLOps platforms, Jupyter-based ML workflows, model registries.

What is the CVSS score for CVE-2024-27132?

CVE-2024-27132 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.24%.

Technical Details

NVD Description

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.

Exploitation Scenario

An adversary crafts a malicious MLflow recipe containing a JavaScript XSS payload embedded in template variables — for example, within a recipe YAML configuration or step definition. The recipe is distributed via a public GitHub repository, an internal Confluence page, or a Slack message to the ML team. An ML engineer clones and runs the recipe locally in Jupyter Notebook. The unsanitized template variable renders in notebook output, executing attacker-controlled JavaScript in the browser. This escalates to client-side RCE: the payload reads environment variables (AWS_ACCESS_KEY_ID, OPENAI_API_KEY, etc.), exfiltrates model artifacts or training data to an attacker-controlled endpoint, or drops a reverse shell into the ML pipeline scripts — all transparently while the engineer sees what appears to be normal recipe execution.