CVE-2024-4263 — MEDIUM (CVSS 5.4) AI Security Vulnerability

CISO Take

MLflow before 2.10.1 lets any authenticated user with EDIT permissions delete artifacts—an operation they are explicitly prohibited from performing per documentation. Upgrade to 2.10.1 immediately if you run MLflow with multi-user or contractor access. Audit permissions now and verify artifact storage has versioning enabled, since deletions may be unrecoverable.

Risk Assessment

Medium severity by CVSS, but contextually elevated in ML environments where experiment artifacts represent months of R&D. Attack complexity is trivial—any authenticated EDIT-level user can exploit this with a single DELETE HTTP request. Risk peaks in shared or multi-tenant MLflow deployments, organizations with contractors or untrusted internal users, and anywhere MLflow artifacts feed production model pipelines. No public exploit code confirmed, not in KEV, but the huntr advisory includes reproduction steps making this widely accessible.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

5.4 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 19% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I Low

A Low

Recommended Action

6 steps

Patch: Upgrade MLflow to 2.10.1 immediately (commit b43e0e3 is the fix).
Least privilege: Audit all user role assignments—restrict EDIT grants to minimum required; use READ-only roles for observers and analysts.
Storage hardening: Enable object versioning (S3 Versioning, Azure Blob soft delete, GCS Object Versioning) on artifact backends to enable recovery from unauthorized deletions.
Detection: Enable MLflow server access logging and alert on DELETE operations originating from non-admin accounts.
Network: Restrict MLflow UI and API to internal/VPN networks; block direct internet exposure.
Verify: Cross-check artifact hashes post-upgrade to identify if unauthorized deletions already occurred.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Framework Training Data AML.T0012 - Valid Accounts AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - Access control for AI system resources

NIST AI RMF

MANAGE 2.2 - Mechanisms exist to sustain AI system value and integrity over time

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-4263?

MLflow before 2.10.1 lets any authenticated user with EDIT permissions delete artifacts—an operation they are explicitly prohibited from performing per documentation. Upgrade to 2.10.1 immediately if you run MLflow with multi-user or contractor access. Audit permissions now and verify artifact storage has versioning enabled, since deletions may be unrecoverable.

Is CVE-2024-4263 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-4263, increasing the risk of exploitation.

How to fix CVE-2024-4263?

1. Patch: Upgrade MLflow to 2.10.1 immediately (commit b43e0e3 is the fix). 2. Least privilege: Audit all user role assignments—restrict EDIT grants to minimum required; use READ-only roles for observers and analysts. 3. Storage hardening: Enable object versioning (S3 Versioning, Azure Blob soft delete, GCS Object Versioning) on artifact backends to enable recovery from unauthorized deletions. 4. Detection: Enable MLflow server access logging and alert on DELETE operations originating from non-admin accounts. 5. Network: Restrict MLflow UI and API to internal/VPN networks; block direct internet exposure. 6. Verify: Cross-check artifact hashes post-upgrade to identify if unauthorized deletions already occurred.

What systems are affected by CVE-2024-4263?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, experiment tracking, model registry, MLOps platforms.

What is the CVSS score for CVE-2024-4263?

CVE-2024-4263 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them.

Exploitation Scenario

A contractor or disgruntled employee holds a legitimate MLflow account with EDIT permissions on shared experiments. They enumerate available experiments and artifacts via the MLflow REST API using their valid token. Without needing any additional privilege escalation, they issue a series of DELETE /api/2.0/mlflow/artifacts/delete requests targeting directories inside active experiment artifact stores—including production-bound model checkpoints. The deletions succeed silently. If object versioning is absent on the backing storage, the artifacts are gone. The victim organization discovers the damage only when an automated retraining pipeline fails to locate expected artifacts or during a model audit.