Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Mlflow - Unauthenticated Access

By kannthu

Vidoc logoVidoc Module

What is "Mlflow - Unauthenticated Access?"

The "Mlflow - Unauthenticated Access" module is designed to detect the presence of unauthenticated access to the MLflow dashboard. MLflow is an open-source platform used for managing the machine learning lifecycle. This module targets a potential vulnerability that allows unauthorized users to access the MLflow dashboard without authentication. The severity of this vulnerability is classified as high.


If the "Mlflow - Unauthenticated Access" vulnerability is exploited, unauthorized users can gain access to sensitive information and perform unauthorized actions within the MLflow dashboard. This can lead to data breaches, unauthorized model modifications, and potential misuse of machine learning resources.

How the module works?

The "Mlflow - Unauthenticated Access" module works by sending an HTTP GET request to the MLflow dashboard's API endpoint: /ajax-api/2.0/preview/mlflow/experiments/get?experiment_id=0. It then applies matching conditions to determine if the dashboard allows unauthenticated access.

The matching conditions for this module are:

- The response body must contain the words "experiment_id", "name", and "artifact_location". - The response status code must be 200.

If both matching conditions are met, the module reports a vulnerability, indicating that unauthenticated access to the MLflow dashboard is possible.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Matching conditions
word: experiment_id, name, artifact_locationand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability