AI Threat Alert AI Threat Alert

CVE-2024-2928: MLflow: URI fragment LFI exposes arbitrary files

HIGH PoC AVAILABLE NUCLEI TEMPLATE
Published June 6, 2024
CISO Take

MLflow instances running versions below 2.11.3 are vulnerable to unauthenticated remote file read — no credentials, no user interaction required. An attacker with network access can read any file the MLflow process can access: cloud credentials, DB connection strings, model artifacts, SSH keys. Upgrade to 2.11.3+ immediately and verify MLflow is not internet-facing.

Risk Assessment

HIGH. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable from any network-reachable position. MLflow instances are frequently deployed without strict network segmentation on internal ML infrastructure, often running with broad filesystem access to model artifacts and credentials. The fact this is a bypass of a prior patch (query string fix in an earlier version) indicates active researcher attention and likely public PoC availability. Blast radius extends beyond the MLflow host: credential files recovered via LFI enable lateral movement into cloud environments, data lakes, and model registries.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip No patch
25.8K OpenSSF 4.5 624 dependents Pushed today 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
91.6%
chance of exploitation in 30 days
Higher than 100% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 92%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

Recommended Action

6 steps

  1. PATCH

    Upgrade MLflow to 2.11.3 or later — the fix (commit 96f0b57) implements comprehensive URI fragment validation against directory traversal sequences.

  2. NETWORK ISOLATION

    MLflow servers must not be internet-facing. Enforce network policies restricting access to authorized ML pipeline services and named user CIDRs only.

  3. LEAST PRIVILEGE

    Run MLflow as a dedicated service account with read access only to required artifact directories. Avoid running as root or with home directory access.

  4. CREDENTIAL ROTATION

    If the MLflow host stored cloud credentials or API keys and exposure cannot be ruled out, rotate them.

  5. DETECTION

    Search MLflow access logs for URI patterns containing '../', '%2e%2e', or '#' followed by path segments. SIEM rule: alert on HTTP requests to MLflow endpoints where the fragment portion contains traversal sequences.

  6. AUDIT

    Enumerate all MLflow instances in your environment and verify version compliance.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Supply Chain Framework Model Training Data AML.T0010.001 AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - Protection of AI-related information assets A.8.4 - Security in AI system development and operation
NIST AI RMF
GOVERN 1.7 - Processes for identifying and managing risks throughout the AI lifecycle MANAGE 2.2 - Mechanisms to respond to and recover from AI risks
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-2928?

MLflow instances running versions below 2.11.3 are vulnerable to unauthenticated remote file read — no credentials, no user interaction required. An attacker with network access can read any file the MLflow process can access: cloud credentials, DB connection strings, model artifacts, SSH keys. Upgrade to 2.11.3+ immediately and verify MLflow is not internet-facing.

Is CVE-2024-2928 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-2928, increasing the risk of exploitation.

How to fix CVE-2024-2928?

1. PATCH: Upgrade MLflow to 2.11.3 or later — the fix (commit 96f0b57) implements comprehensive URI fragment validation against directory traversal sequences. 2. NETWORK ISOLATION: MLflow servers must not be internet-facing. Enforce network policies restricting access to authorized ML pipeline services and named user CIDRs only. 3. LEAST PRIVILEGE: Run MLflow as a dedicated service account with read access only to required artifact directories. Avoid running as root or with home directory access. 4. CREDENTIAL ROTATION: If the MLflow host stored cloud credentials or API keys and exposure cannot be ruled out, rotate them. 5. DETECTION: Search MLflow access logs for URI patterns containing '../', '%2e%2e', or '#' followed by path segments. SIEM rule: alert on HTTP requests to MLflow endpoints where the fragment portion contains traversal sequences. 6. AUDIT: Enumerate all MLflow instances in your environment and verify version compliance.

What systems are affected by CVE-2024-2928?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, experiment tracking infrastructure, training pipelines, model serving.

What is the CVSS score for CVE-2024-2928?

CVE-2024-2928 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 91.65%.

Technical Details

NVD Description

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.

Exploitation Scenario

An adversary conducting reconnaissance against an organization's internal network identifies an MLflow tracking server on port 5000 reachable from a compromised developer workstation. They craft a GET request with a URI fragment payload (e.g., /api/artifacts#/../../../home/mlflow/.aws/credentials) to extract cloud credentials. With AWS keys in hand, they enumerate S3 buckets containing training datasets and model artifacts. They then replace a production model artifact with a backdoored version containing embedded malware (AML.T0018.002), causing the model serving infrastructure to load the malicious model on next deployment — achieving persistent access to inference infrastructure without ever touching CI/CD pipelines.

Weaknesses (CWE)

CWE-22 Primary CWE-29

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
June 6, 2024
Last Modified
November 21, 2024
First Seen
June 6, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-2928.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed