OffSec — MLflow LFI via URI fragment (CVE-2024-2928)

2026-03-11 AI CVEs by al-ice.ai Editorial

AI relevance: MLflow is a common ML lifecycle platform; LFI in its artifact handling can expose model artifacts and AI pipeline credentials.

CVE-2024-2928 affects MLflow versions ≤ 2.11.2; patched in 2.11.3.
The LFI stems from improper sanitization of the URI fragment (#) during artifact path resolution.
MLflow parses the raw HTTP request line, which includes fragments, bypassing the usual path traversal protections.
Crafted fragments like #../etc/passwd can escape the artifact directory and read arbitrary files.
Attack is unauthenticated and remote if the MLflow server is exposed to the network.
Browsers do not send fragments, so exploitation requires raw HTTP tooling (curl, Burp, netcat).
CVSS v3.1 score: 7.5 (high).

Why it matters

MLflow often co-locates model artifacts, pipeline configs, and service credentials; LFI turns it into a secret-harvesting endpoint.
Artifact stores are frequently tied to cloud IAM roles, so leaked credentials can pivot into broader AI infrastructure.

Upgrade MLflow to 2.11.3+ immediately.
Restrict network exposure of the tracking server and require authentication/allowlists.
Add edge filtering/WAF rules to block #-fragment traversal patterns in artifact routes.
Monitor logs for suspicious artifact path requests with fragment traversal.