The vulnerability arises from the application's failure to validate '../' sequences in the URI fragment, a method used to bypass previous patches aimed at preventing LFI attacks through query strings. By crafting a malicious URI that includes the fragment marker '#' followed by '../' sequences, attackers can traverse the server's directory structure and access sensitive files such as '/etc/passwd'.

An attacker starts the MLflow web server and creates a malicious experiment with an artifact location pointing to a crafted URI containing the fragment marker '#' and directory traversal sequences. They then associate a run to this experiment, create a registered model, and link a model version to the malicious run. Finally, the attacker can read arbitrary files on the server, such as '/etc/passwd', by making a request to the model-versions endpoint with a crafted path parameter.

Users of MLflow version 2.9.2 are affected by this vulnerability. The risk is particularly high for environments where MLflow is exposed to untrusted users, as it allows for the reading of arbitrary files on the server, potentially leading to the disclosure of sensitive information.