CVE-2024-4263: MLflow broken access control

CISO Take

MLflow before 2.10.1 lets any authenticated user with EDIT permissions delete artifacts—an operation they are explicitly prohibited from performing per documentation. Upgrade to 2.10.1 immediately if you run MLflow with multi-user or contractor access. Audit permissions now and verify artifact storage has versioning enabled, since deletions may be unrecoverable.

What is the risk?

Medium severity by CVSS, but contextually elevated in ML environments where experiment artifacts represent months of R&D. Attack complexity is trivial—any authenticated EDIT-level user can exploit this with a single DELETE HTTP request. Risk peaks in shared or multi-tenant MLflow deployments, organizations with contractors or untrusted internal users, and anywhere MLflow artifacts feed production model pipelines. No public exploit code confirmed, not in KEV, but the huntr advisory includes reproduction steps making this widely accessible.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

5.4 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 24% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I Low

A Low

What should I do?

6 steps

Patch: Upgrade MLflow to 2.10.1 immediately (commit b43e0e3 is the fix).
Least privilege: Audit all user role assignments—restrict EDIT grants to minimum required; use READ-only roles for observers and analysts.
Storage hardening: Enable object versioning (S3 Versioning, Azure Blob soft delete, GCS Object Versioning) on artifact backends to enable recovery from unauthorized deletions.
Detection: Enable MLflow server access logging and alert on DELETE operations originating from non-admin accounts.
Network: Restrict MLflow UI and API to internal/VPN networks; block direct internet exposure.
Verify: Cross-check artifact hashes post-upgrade to identify if unauthorized deletions already occurred.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Framework Training Data AML.T0012 - Valid Accounts AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - Access control for AI system resources

NIST AI RMF

MANAGE 2.2 - Mechanisms exist to sustain AI system value and integrity over time

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-4263?

MLflow before 2.10.1 lets any authenticated user with EDIT permissions delete artifacts—an operation they are explicitly prohibited from performing per documentation. Upgrade to 2.10.1 immediately if you run MLflow with multi-user or contractor access. Audit permissions now and verify artifact storage has versioning enabled, since deletions may be unrecoverable.

Is CVE-2024-4263 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-4263, increasing the risk of exploitation.

How to fix CVE-2024-4263?

1. Patch: Upgrade MLflow to 2.10.1 immediately (commit b43e0e3 is the fix). 2. Least privilege: Audit all user role assignments—restrict EDIT grants to minimum required; use READ-only roles for observers and analysts. 3. Storage hardening: Enable object versioning (S3 Versioning, Azure Blob soft delete, GCS Object Versioning) on artifact backends to enable recovery from unauthorized deletions. 4. Detection: Enable MLflow server access logging and alert on DELETE operations originating from non-admin accounts. 5. Network: Restrict MLflow UI and API to internal/VPN networks; block direct internet exposure. 6. Verify: Cross-check artifact hashes post-upgrade to identify if unauthorized deletions already occurred.

What systems are affected by CVE-2024-4263?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, experiment tracking, model registry, MLOps platforms.

What is the CVSS score for CVE-2024-4263?

CVE-2024-4263 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.33%.

What is the AI security impact?

Affected AI Architectures

training pipelinesexperiment trackingmodel registryMLOps platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.1.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them.

Exploitation Scenario

A contractor or disgruntled employee holds a legitimate MLflow account with EDIT permissions on shared experiments. They enumerate available experiments and artifacts via the MLflow REST API using their valid token. Without needing any additional privilege escalation, they issue a series of DELETE /api/2.0/mlflow/artifacts/delete requests targeting directories inside active experiment artifact stores—including production-bound model checkpoints. The deletions succeed silently. If object versioning is absent on the backing storage, the artifacts are gone. The victim organization discovers the damage only when an automated retraining pipeline fails to locate expected artifacts or during a model audit.

Weaknesses (CWE)

CWE-284 Improper Access Control

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.