An attacker can overwrite any file on the server hosting MLflow without any authentication.
lfprojects mlflow -