The vulnerability stems from the improper handling of the fragment component (#) in the artifact_location URI when creating an experiment in mlflow. Attackers can exploit this by crafting a malicious artifact_location that includes a path traversal sequence following a #, leading to arbitrary file read capabilities. This could potentially expose sensitive information stored on the server, compromising the integrity and confidentiality of the system.

An attacker crafts a request to create a new experiment in mlflow, specifying an artifact_location with a path traversal sequence following a #. This allows the attacker to later create a registered model version that points to an arbitrary file on the server. By requesting the artifact of this model version, the attacker can read the contents of the file, such as /etc/passwd, thereby gaining access to sensitive information.

Any system running mlflow version 2.9.2 that allows users to specify artifact_location when creating experiments is vulnerable. This includes environments where mlflow is used for managing machine learning experiments and models, potentially exposing sensitive files on the server to unauthorized access.