CVE-2024-2928: MLflow: URI fragment LFI exposes arbitrary files

HIGH PoC AVAILABLE NUCLEI TEMPLATE

Published June 6, 2024

CISO Take

MLflow instances running versions below 2.11.3 are vulnerable to unauthenticated remote file read — no credentials, no user interaction required. An attacker with network access can read any file the MLflow process can access: cloud credentials, DB connection strings, model artifacts, SSH keys. Upgrade to 2.11.3+ immediately and verify MLflow is not internet-facing.

What is the risk?

HIGH. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable from any network-reachable position. MLflow instances are frequently deployed without strict network segmentation on internal ML infrastructure, often running with broad filesystem access to model artifacts and credentials. The fact this is a bypass of a prior patch (query string fix in an earlier version) indicates active researcher attention and likely public PoC availability. Blast radius extends beyond the MLflow host: credential files recovered via LFI enable lateral movement into cloud environments, data lakes, and model registries.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

21.8%

chance of exploitation in 30 days

Higher than 97% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 22%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

PATCH

Upgrade MLflow to 2.11.3 or later — the fix (commit 96f0b57) implements comprehensive URI fragment validation against directory traversal sequences.
NETWORK ISOLATION

MLflow servers must not be internet-facing. Enforce network policies restricting access to authorized ML pipeline services and named user CIDRs only.
LEAST PRIVILEGE

Run MLflow as a dedicated service account with read access only to required artifact directories. Avoid running as root or with home directory access.
CREDENTIAL ROTATION

If the MLflow host stored cloud credentials or API keys and exposure cannot be ruled out, rotate them.
DETECTION

Search MLflow access logs for URI patterns containing '../', '%2e%2e', or '#' followed by path segments. SIEM rule: alert on HTTP requests to MLflow endpoints where the fragment portion contains traversal sequences.
AUDIT

Enumerate all MLflow instances in your environment and verify version compliance.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Supply Chain Framework Model Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - Protection of AI-related information assets A.8.4 - Security in AI system development and operation

NIST AI RMF

GOVERN 1.7 - Processes for identifying and managing risks throughout the AI lifecycle MANAGE 2.2 - Mechanisms to respond to and recover from AI risks

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-2928?

Is CVE-2024-2928 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-2928, increasing the risk of exploitation.

How to fix CVE-2024-2928?

1. PATCH: Upgrade MLflow to 2.11.3 or later — the fix (commit 96f0b57) implements comprehensive URI fragment validation against directory traversal sequences. 2. NETWORK ISOLATION: MLflow servers must not be internet-facing. Enforce network policies restricting access to authorized ML pipeline services and named user CIDRs only. 3. LEAST PRIVILEGE: Run MLflow as a dedicated service account with read access only to required artifact directories. Avoid running as root or with home directory access. 4. CREDENTIAL ROTATION: If the MLflow host stored cloud credentials or API keys and exposure cannot be ruled out, rotate them. 5. DETECTION: Search MLflow access logs for URI patterns containing '../', '%2e%2e', or '#' followed by path segments. SIEM rule: alert on HTTP requests to MLflow endpoints where the fragment portion contains traversal sequences. 6. AUDIT: Enumerate all MLflow instances in your environment and verify version compliance.

What systems are affected by CVE-2024-2928?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, experiment tracking infrastructure, training pipelines, model serving.

What is the CVSS score for CVE-2024-2928?

CVE-2024-2928 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 21.85%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel registryexperiment tracking infrastructuretraining pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5, A.8.4

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.

Exploitation Scenario

An adversary conducting reconnaissance against an organization's internal network identifies an MLflow tracking server on port 5000 reachable from a compromised developer workstation. They craft a GET request with a URI fragment payload (e.g., /api/artifacts#/../../../home/mlflow/.aws/credentials) to extract cloud credentials. With AWS keys in hand, they enumerate S3 buckets containing training datasets and model artifacts. They then replace a production model artifact with a backdoored version containing embedded malware (AML.T0018.002), causing the model serving infrastructure to load the malicious model on next deployment — achieving persistent access to inference infrastructure without ever touching CI/CD pipelines.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-29 Path Traversal: '\..\filename'

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.