Uncontrolled Resource Consumption in mlflow/mlflow
Description
In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of service. Additionally, there is no character limit in the artifact_location parameter while creating the experiment.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In mlflow v2.13.2, missing limits on experiment name and artifact_location allow denial of service via UI unresponsiveness.
Vulnerability
Overview
CVE-2024-6838 describes a denial-of-service vulnerability in MLflow version 2.13.2. The software fails to enforce a limit on the length of experiment names or the artifact_location parameter when creating or renaming experiments. An attacker can supply a name consisting of a large number of integers, causing the MLflow UI panel to become unresponsive [1].
Exploitation
An attacker with access to the MLflow tracking server can exploit this by sending a crafted API request to create or rename an experiment with an excessively long name or a large artifact_location value. No authentication is required if the server is exposed, making the attack surface broad in deployments without proper access controls [3].
Impact
Successful exploitation leads to a denial-of-service condition where the MLflow UI becomes unresponsive, preventing legitimate users from viewing or managing experiments. This can disrupt machine learning workflows and degrade platform availability [1].
Mitigation
As of the publication date, no official patch has been announced for this vulnerability. Users are advised to restrict network access to the MLflow tracking server and monitor for unusual experiment creation activity. The issue was reported via the Huntr bug bounty program [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mlflowPyPI | <= 2.13.2 | — |
Affected products
4- osv-coords2 versions
>= 2.13.2, < 2.14.0+ 1 more
- (no CPE)range: >= 2.13.2, < 2.14.0
- (no CPE)range: <= 2.13.2
- mlflow/mlflow/mlflowv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.