The vulnerability stems from the way MLflow processes model source URLs. Specifically, when a model is created with a source URL pointing to another model that, in turn, points to a malicious server, MLflow fetches and writes files as specified by the attacker. This behavior can be exploited to write arbitrary files on the system, leading to remote code execution. The lack of authentication by default and the ability to control the file path and content through a malicious server are key factors that facilitate this exploit.

An attacker sets up a malicious server to serve a JSON response that specifies a file path and content. The attacker then creates two models in MLflow: the first model's source points to the malicious server, and the second model's source points to the first model. When MLflow processes the second model, it fetches the file specification from the malicious server and writes the specified file to the system, allowing the attacker to execute arbitrary code.

Any user or organization running MLflow versions 2.6.0 to 2.9.1 with default configurations is vulnerable to this attack. The vulnerability specifically affects environments where MLflow is used for tracking experiments, packaging code, and sharing and deploying models without requiring authentication.