MLflow validated only part of the URI and then used the original value to create the model. An attacker could leverage this to eventually read sensitive files from the server. MLflow fixed the issue ...