Dashboard Vulnerabilities News Research Archive Stats Dataset

aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

Vulnerabilities News Research Digest Archive Newsletter Archive Subscribe Data Sources Statistics Dataset API Integrations Widget RSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

CVE-2023-6015: MLflow allowed arbitrary files to be PUT onto the server. | AI Sec Watch

CVE-2023-6015: MLflow allowed arbitrary files to be PUT onto the server.

highvulnerability

security

Source: NVD/CVE DatabaseNovember 16, 2023CVE-2023-6015

Summary

CVE-2023-6015 is a vulnerability in MLflow that allows attackers to upload arbitrary files to the server using PUT requests. This is a path traversal vulnerability (CWE-22, where an attacker can write files outside the intended directory by manipulating file paths), with a CVSS severity score of 4.0 (a moderate-level security issue on a 0-10 scale).

Vulnerability Details

CVSS Score

7.5(high)

EPSS (30-day exploit probability)

EPSS: 0.8%

Classification

Attack Type

Supply Chain

Attack SophisticationTrivial

Impact (CIA+S)

integrityconfidentiality

Taxonomy References

CWE (Weakness Type)

CAPEC (Attack Pattern)

Affected Vendors

LangChain

Related Issues

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Similar attackTechCrunch

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendorNVD/CVE Database

Original source: https://nvd.nist.gov/vuln/detail/CVE-2023-6015

First tracked: February 15, 2026 at 08:46 PM

Classified by LLM (prompt v3) · confidence: 82%

AI Component TargetedFramework

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

Same vendorNVD/CVE Database

CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose

Similar attackNVD/CVE Database

CVE-2025-14927: Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability al

Similar attackNVD/CVE Database