Date 2026-06-20. Target: MLflow (last parked lead of the huntr AI/ML session). Verdict: WALK. But the WHY is a reusable hunting strategy for the whole ML-platform class (MLflow, BentoML, KServe, Ray Serve, Seldon, HuggingFace loaders, etc).
Every MLflow model-load flavor (pyfunc, sklearn, pytorch, tensorflow, langchain, recipe) does unsafe pickle/cloudpickle/torch.load. ALL of them:
1. GATE A - already disclosed: mass-CVE'd June 2024 (CVE-2024-37052..37061, issue #12256 / GHSA-j8mg-pqc5-x9gj, public PoCs). The whole class is public.
2. GATE B - by-design trusted-input: MLflow DOCUMENTS model-load as a trust operation (MLFLOW_ALLOW_PICKLE_DESERIALIZATION opt-out, skops/pickle-free alternatives, explicit "unpickling untrusted = dangerous" warnings). Same posture as Python pickle / TF "models are programs." Loading your own/a trusted model = user responsibility.
So "I made a malicious pickle model and loaded it" is NOT a finding - it's the documented threat model. This kills naive ML-deser leads instantly. Run GATE A + GATE B first (cheap) and walk; do NOT clone/PoC a by-design+disclosed sink (cost-governed - the MLflow drill correctly skipped the clone).
A by-design trusted-load becomes a REAL, eligible vuln only when paired with a SEPARATE primitive that lets an attacker PLANT the artifact a victim/server then AUTO-loads, WITHOUT a trust assumption: - Unauth / cross-tenant artifact WRITE: an SSRF/path-traversal/access-control bug that writes into the artifact store another user or the server auto-deserializes (MLflow's GHSA-83fm / GHSA-xg73 file-access lineage is exactly this class). - Auto-load trigger: a registry/serving endpoint that loads a model on registration/deploy/inference without the operator choosing to "trust" it. - Cross-tenant model share: tenant A registers a model, tenant B's pipeline auto-loads it.
The cash bug is the WRITE/ACCESS-CONTROL primitive (undisclosed, not-by-design), with the deser as the impact amplifier (by-design -> RCE). Hunt the artifact-write/access-control surface, NOT the pickle call. When you report, the vuln-of-record is "unauth attacker can plant an auto-deserialized artifact," and the RCE is the consequence - that reframes a by-design sink into an eligible finding.
A PoC must show the FULL chain: unauth/cross-tenant WRITE -> victim/server AUTO-load -> code-exec. NOT "I loaded a pickle I supplied to myself." If you can only show the latter, it's by-design - walk.