The vulnerability stems from the 'is_local_uri' function's failure to correctly identify URIs with an empty scheme or 'file' scheme as local, combined with the 'is_file_uri' function not considering an empty scheme as equivalent to a 'file' scheme. This flaw allows attackers to craft URIs that bypass security checks, leading to unauthorized local file access. The impact is significant as it could enable attackers to read sensitive files on the server, including SSH keys, artifacts information, internal configurations, and other sensitive data.

An attacker crafts a malicious model version with a source URI designed to exploit the scheme confusion vulnerability ('//home/user/' or 'file://home/user/'). When the MLflow server processes this URI, it mistakenly treats it as a valid local file path due to the vulnerability. The attacker then requests an artifact from this model version, leading to unauthorized access to local files on the server.

Any deployments of MLflow version 2.7.1 or earlier without the patch applied are vulnerable. The vulnerability specifically affects servers where MLflow is used to manage and serve machine learning models and artifacts. Users and organizations relying on affected versions for model versioning and artifact storage are at risk of unauthorized file access.