Local File Inclusion (LFI) via URI Fragment Parsing in mlflow/mlflow
Description
A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MLflow 2.9.2 fails to validate URI fragments for directory traversal, allowing arbitrary file read via LFI, bypassing a previous patch.
Root
Cause
CVE-2024-2928 is a Local File Inclusion (LFI) vulnerability in mlflow/mlflow affecting version 2.9.2, fixed in 2.11.3. The root cause is the application's failure to properly validate URI fragments for directory traversal sequences such as ../. An attacker can manipulate the fragment part of a URI to bypass previous validation that only covered the query string, allowing arbitrary file reads from the local file system [1][4].
Exploitation
To exploit this vulnerability, an attacker needs to craft a URI with a malicious fragment containing directory traversal patterns (e.g., #/../../etc/passwd). The flaw lies in the incomplete validation: while query strings are checked, fragments are not, enabling traversal outside intended directories. No authentication is explicitly required; the attacker can send a specially crafted request to the MLflow server [1][3].
Impact
Successful exploitation allows the attacker to read sensitive files on the server, including /etc/passwd and potentially other configuration files or data. This can lead to information disclosure that may aid further attacks or expose credentials. The LFI is a bypass of a prior incomplete fix, emphasizing the need for comprehensive URI validation [1].
Mitigation
Users should upgrade to MLflow version 2.11.3 or later, which includes a fix that validates both query strings and fragments in artifact locations [4]. No workaround is provided; patching is the recommended action. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mlflowPyPI | < 2.11.3 | 2.11.3 |
Affected products
3- osv-coords2 versions
< 2.11.3+ 1 more
- (no CPE)range: < 2.11.3
- (no CPE)range: < 2.11.3
- mlflow/mlflow/mlflowv5Range: unspecified
Patches
11 file changed · +9 −4
mlflow/server/handlers.py+9 −4 modified@@ -600,8 +600,12 @@ def _create_experiment(): # Validate query string in artifact location to prevent attacks parsed_artifact_locaion = urllib.parse.urlparse(request_message.artifact_location) + if parsed_artifact_locaion.fragment: + raise MlflowException( + "'artifact_location' URL can't include fragment part.", + error_code=INVALID_PARAMETER_VALUE, + ) validate_query_string(parsed_artifact_locaion.query) - experiment_id = _get_tracking_store().create_experiment( request_message.name, request_message.artifact_location, tags ) @@ -1726,9 +1730,10 @@ def _validate_source(source: str, run_id: str) -> None: store = _get_tracking_store() run = store.get_run(run_id) source = pathlib.Path(local_file_uri_to_path(source)).resolve() - run_artifact_dir = pathlib.Path(local_file_uri_to_path(run.info.artifact_uri)).resolve() - if run_artifact_dir in [source, *source.parents]: - return + if is_local_uri(run.info.artifact_uri): + run_artifact_dir = pathlib.Path(local_file_uri_to_path(run.info.artifact_uri)).resolve() + if run_artifact_dir in [source, *source.parents]: + return raise MlflowException( f"Invalid model version source: '{source}'. To use a local path as a model version "
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-j46q-5pxx-8vmwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-2928ghsaADVISORY
- github.com/mlflow/mlflow/commit/96f0b573a73d8eedd6735a2ce26e08859527be07ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-242.yamlghsaWEB
- huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298ghsaWEB
News mentions
0No linked articles in our index yet.