The vulnerability stems from inadequate validation of the source parameter in the _create_model_version() function. Specifically, the _validate_source() function fails to properly sanitize the source parameter, allowing an attacker to craft a source URI that bypasses path traversal checks. This crafted URI can then be used to read arbitrary files on the server when interacting with the /model-versions/get-artifact handler, which incorrectly constructs the final path for artifact retrieval based on the unsanitized source.

An attacker crafts a malicious source URI containing encoded path traversal sequences and submits it through the model version creation process. The system incorrectly validates this URI, allowing it to be used in subsequent requests to retrieve artifacts. The attacker then makes a request to the /model-versions/get-artifact endpoint with a normal-looking path parameter, which, combined with the malicious source, results in arbitrary file access on the server.

Any deployments of MLflow version 2.9.2 are vulnerable to this attack, potentially allowing attackers to read arbitrary files on the server. This affects administrators and users of MLflow who rely on the integrity and confidentiality of their data.