A flaw in the authorization layer of MLflow enables an attacker to reach the multipart upload endpoints at /mlflow-artifacts/mpu/* without performing a resource‑level permission check. With the --serve-artifacts option enabled, this permits the attacker to overwrite artifacts that belong to other users, creating a path for model supply‑chain poisoning and potentially arbitrary code execution when compromised models are loaded. The weakness involves missing authorization (CWE‑862) and inadequate access control that can be mapped to CWE‑1220.

The vulnerability exists in all MLflow releases up to and including 3.10.1.dev0 from the mlflow:mlflow/mlflow product line. The issue was addressed and fixed starting with version 3.10.0, although the precise resolution target is the point release 3.10.0. Users should verify that their installations have migrated to a fixed version before experiencing the validated fix.

The CVSS score of 9 indicates a high‑severity risk, while the EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw over the network by sending crafted HTTP requests to the exposed MPU endpoints when the server is running in --serve-artifacts mode. The attack requires no additional local privileges, making it a straightforward remote exploitation scenario.