The vulnerability stems from the application's handling of artifact URLs. Specifically, the security mechanism in place to prevent path traversal attacks can be bypassed by including a '#' character in the URL, which causes the application to interpret the subsequent path as a fragment, thus skipping validation. This flaw allows attackers to construct URLs that, when processed by the application, result in arbitrary file read access on the server.

An attacker starts by creating an experiment in mlflow with an artifact location that includes a path traversal sequence preceded by a '#'. They then create a run and a registered model linked to this run, specifying a file (e.g., '/etc/passwd') as the source. Finally, the attacker can request this file through the mlflow interface, leading to unauthorized file access.

Any deployments of mlflow version 2.11.0 where users can create experiments and specify artifact locations are vulnerable. This includes environments where mlflow is exposed to untrusted users who can exploit this vulnerability to read arbitrary files on the server.