The core of the vulnerability lies in MLflow's handling of model names. Normally, MLflow prevents the creation of multiple models with the same name to maintain integrity and avoid confusion. However, by exploiting URL encoding, an attacker can bypass this restriction and create a model with a name that, once URL-decoded, matches an existing model's name. This flaw can lead to two major threats: Denial of Service, where legitimate users cannot access the correct model due to name collisions, and Data Model Poisoning, where an attacker's malicious model could be mistaken for a legitimate one.

An attacker first identifies a target model name to exploit. They then create a new model, using URL encoding to bypass MLflow's name uniqueness constraint, effectively creating a model with the same name as the target. When a legitimate user attempts to access the original model, they are instead directed to the attacker's model. This can result in either denial of service, where the user cannot access the needed model, or model poisoning, where the user unknowingly interacts with a malicious model.

The vulnerability primarily affects authenticated users of MLflow who rely on the integrity and uniqueness of model names for accessing and managing machine learning models. This includes data scientists, ML engineers, and any stakeholders in the ML lifecycle who interact with MLflow for model versioning, tracking, and deployment.