Executive Summary

This vulnerability in MLflow is an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Because the endpoint lacked proper access-control validation, users without permission to a specific experiment could directly query this endpoint and retrieve model artifacts they were not authorized to access.

The root cause was that the AJAX endpoint was implemented as a plain Flask route and was not included in the automatic authorization validators, allowing authenticated users with insufficient permissions to bypass checks. The fix involved explicitly adding authorization validation to ensure only users with read permissions on the parent experiment can access these artifacts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthorized users to access and download sensitive model artifacts from MLflow experiments they do not have permission to view. This unauthorized access could lead to exposure of proprietary or confidential machine learning models and data.

Additionally, another related endpoint allowed unauthorized users to enumerate metadata about artifact files, such as names, paths, and sizes, which could facilitate targeted unauthorized downloads.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the affected AJAX endpoints without proper permissions and observing if unauthorized access is granted.

Specifically, you can test the GET endpoints `/ajax-api/2.0/mlflow/logged-models/<model_id>/artifacts/files` and `/api/2.0/mlflow/logged-models/{model_id}/artifacts/directories` to see if they return model artifacts or artifact metadata without proper authorization.

A practical approach is to use HTTP request tools like curl or wget to send GET requests to these endpoints as a user without experiment read permissions and check if the response status is 403 Forbidden or if data is returned.

• curl -i -H "Authorization: Bearer <token_without_permissions>" https://<mlflow_server>/ajax-api/2.0/mlflow/logged-models/<model_id>/artifacts/files
• curl -i -H "Authorization: Bearer <token_without_permissions>" https://<mlflow_server>/api/2.0/mlflow/logged-models/<model_id>/artifacts/directories

If these requests return HTTP 200 with artifact data instead of HTTP 403 Forbidden, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade MLflow to version 3.10.2 or later, where this authorization bypass vulnerability has been fixed.

The fix involves explicitly registering the affected AJAX endpoints with proper authorization validators to enforce read permissions on experiments.

Until the upgrade can be applied, restrict access to the affected endpoints by network controls or authentication proxies to prevent unauthorized users from accessing the artifact download and listing endpoints.

Additionally, review and tighten experiment permission settings to minimize exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized users to bypass access controls and download model artifacts they are not permitted to access. This unauthorized access to potentially sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict access controls and protection of sensitive information.

By failing to enforce proper authorization checks, the affected MLflow versions could expose confidential or personal data contained within model artifacts, thereby increasing the risk of data breaches and regulatory violations.

Useful 0 Not Useful 0