CVE-2023-6018
Published: 16 November 2023
Summary
CVE-2023-6018 is a critical-severity OS Command Injection (CWE-78) vulnerability in Lfprojects Mlflow. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), Exfiltration via AI Inference API (AML.T0024), External Harms (AML.T0048).
Deeper analysis
CVE-2023-6018 is an unauthenticated file overwrite vulnerability affecting the MLflow machine learning platform. The flaw, assigned CWE-78, permits remote attackers to replace arbitrary files on the host server and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible, low-complexity exploitation with no required credentials or user interaction.
An attacker can send crafted requests directly to a publicly reachable MLflow instance and overwrite any file on the underlying server filesystem. Successful exploitation grants full control over confidentiality, integrity, and availability of the MLflow deployment and any data or models it manages.
The current EPSS score of 0.9127, with a recorded peak of 0.9265, indicates sustained and elevated exploitation interest since disclosure. The issue is particularly relevant to AI/ML environments that rely on MLflow for experiment tracking and model management.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2888
Vulnerability details
An attacker can overwrite any file on the server hosting MLflow without any authentication.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- MLflow is an open-source platform for managing the machine learning lifecycle, including experimentation, reproducibility, and deployment, fitting under 'Other Platforms' as it is not a framework, library, or specific AI sub-domain tool.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file overwrite on MLflow server facilitates initial access via public-facing app exploitation (T1190), persistence through web shells (T1505.003), SSH authorized keys (T1098.004), cron jobs (T1053.003), and systemd services (T1543.002), impairing defenses (T1562.001), and clearing logs (T1070.002).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.