Weights & Biases Attack Surface
Security analysis of Weights & Biases (W&B/wandb): API key exposure, experiment data leakage, team boundary violations, artifact poisoning, and attack techniques specific to the W&B platform.
Weights & Biases Attack Surface
Weights & Biases (W&B) is one of the most widely adopted experiment tracking platforms in ML, used by research labs and production teams alike. Its extensive integration surface -- spanning training frameworks, cloud providers, and CI/CD systems -- creates a correspondingly broad attack surface. W&B's design philosophy of "log everything" maximizes reproducibility but also maximizes the amount of sensitive data that flows through and is stored by the platform.
API Key Exposure
W&B API keys are the primary authentication mechanism and the most common entry point for attackers. A single API key grants access to the user's entire entity (personal or organizational), including all projects, runs, artifacts, and reports.
Where API Keys Leak
| Location | How It Happens | Detection |
|---|---|---|
| Git repositories | Hardcoded in training scripts, .env files committed, Jupyter notebooks with wandb.login(key=...) | GitHub secret scanning, trufflehog |
| CI/CD logs | Printed during wandb login or captured in build output | Log review, CI/CD secret auditing |
| Docker images | Baked into image layers via ENV WANDB_API_KEY=... or .netrc files | Image layer inspection with dive |
| Shared notebooks | Colab/Jupyter notebooks with inline API keys shared publicly | Notebook content scanning |
| Experiment logs | Captured via wandb.config.update(os.environ) and visible in the W&B dashboard | W&B run config review |
Exploitation
Once an API key is obtained, an attacker can use the W&B Python SDK or REST API to:
Enumerate accessible projects and runs
Use
wandb.Api()to list all projects, runs, and their metadata. This reveals the organization's complete experiment history.import wandb # Authenticate with the compromised key api = wandb.Api(api_key="compromised_key_here") # List all accessible projects for project in api.projects(): print(f"Project: {project.name}") for run in api.runs(f"{project.entity}/{project.name}"): print(f" Run: {run.name} | State: {run.state}") print(f" Config: {dict(run.config)}") print(f" Summary: {dict(run.summary)}")Extract artifacts and model checkpoints
Download all artifacts including model weights, datasets, and configuration files stored in W&B Artifacts.
Harvest credentials from run configs
Search across all runs for configuration keys that look like credentials: paths containing "key", "secret", "token", "password", or "credential".
Modify artifacts for poisoning
If the key has write access, upload modified model checkpoints or datasets as new artifact versions. Downstream pipelines that pull "latest" will consume the poisoned artifacts.
Experiment Data Leakage
Public Projects
W&B allows projects to be set to "public" visibility, making all runs, configs, and artifacts accessible to anyone. Organizations sometimes set projects to public for collaboration without realizing the security implications.
What leaks from public projects:
- Complete hyperparameter configurations for every run
- Training loss curves and evaluation metrics
- Model architecture details encoded in config
- Dataset paths revealing internal infrastructure
- Artifact files including model checkpoints
Report Sharing
W&B Reports can be shared via URL. Reports may embed sensitive data including:
- Interactive plots of training metrics
- Code snippets from logged source
- Artifact references that may be downloadable
- Run tables with full configuration details
Even "view-only" report links can leak significant information because the underlying run data is accessible through the report's data bindings.
Sweep Configurations
Sweeps are particularly revealing because they expose the complete hyperparameter search space. A sweep configuration shows not just what values were tried, but the ranges the team considers reasonable -- information that dramatically accelerates competitive replication.
Team Boundary Violations
Multi-Team Organizations
W&B organizations can contain multiple teams. The security boundary between teams depends on configuration, and the defaults are often more permissive than expected.
Common boundary violations:
- Team members can see other teams' project names even without access to run data
- Organization admins have implicit access to all teams' data
- Service accounts created for CI/CD may have cross-team access
- Artifact references can cross team boundaries when runs reference artifacts from other teams
Entity Confusion
W&B uses "entities" (usernames or team names) in API paths: wandb.init(entity="team-name", project="project-name"). If a training script uses a hardcoded entity and the corresponding API key has access to multiple entities, runs may be logged to unintended projects. An attacker who controls a similarly named entity could intercept experiment data.
Artifact Poisoning
W&B Artifacts provide versioned, lineage-tracked storage for datasets, models, and other files. The artifact system's trust model creates opportunities for poisoning attacks.
Version Manipulation
Artifacts use aliases like "latest", "best", and "production" to reference specific versions. An attacker with write access can:
- Upload a new version of a model artifact with a backdoor
- Move the "latest" or "production" alias to point to the poisoned version
- Downstream pipelines that reference
artifact:latestwill pull the poisoned version - The original artifact versions remain intact, making the attack reversible and deniable
Lineage Exploitation
W&B tracks artifact lineage -- which runs produced and consumed which artifacts. An attacker can create a run that claims to be a legitimate training job, produces a poisoned artifact, and links it to the genuine training lineage. The poisoned artifact appears in the lineage graph as a legitimate output.
Cross-Project Artifact References
Artifacts can be referenced across projects within the same entity. A compromised project can upload artifacts that are consumed by pipelines in other projects, enabling lateral movement through the artifact dependency graph.
import wandb
api = wandb.Api()
# Get the production model artifact
artifact = api.artifact("team/project/model:production")
print(f"Current production version: {artifact.version}")
# Create a poisoned version
run = wandb.init(project="project", entity="team")
poisoned_artifact = wandb.Artifact("model", type="model")
poisoned_artifact.add_file("poisoned_model.pt")
run.log_artifact(poisoned_artifact, aliases=["production", "latest"])
run.finish()
# The "production" alias now points to the poisoned versionSelf-Hosted W&B Security
Organizations running self-hosted W&B (W&B Server) face additional attack surfaces beyond the managed cloud offering.
Infrastructure Concerns
| Component | Risk | Mitigation |
|---|---|---|
| MySQL/PostgreSQL backend | Database compromise exposes all experiment data | Encrypt at rest, restrict network access |
| Object storage (S3/GCS/MinIO) | Direct access to artifacts bypassing W&B access controls | Bucket policies, no public access |
| Redis cache | Session data and temporary credentials in memory | Network isolation, authentication |
| W&B application server | Application-level vulnerabilities | Regular updates, WAF, access logging |
Authentication Bypass
Self-hosted W&B instances sometimes use permissive authentication configurations:
- Local accounts with default or weak passwords
- SAML/OIDC misconfigurations allowing unauthorized access
- API endpoints that do not enforce authentication for certain operations
- Admin console accessible without additional authentication
Detection and Monitoring
Indicators of Compromise
| Indicator | What It Suggests |
|---|---|
| API calls from unfamiliar IP addresses | Stolen API key in use |
| Bulk download of artifacts across multiple projects | Data exfiltration in progress |
| Artifact alias changes without corresponding training runs | Artifact poisoning attempt |
| New runs appearing in projects with unusual configurations | Unauthorized experiment access |
| Service account API key used interactively | Service credential theft |
Logging and Alerting
W&B provides audit logs in enterprise tiers. Key events to monitor:
- API key creation and usage
- Artifact version creation and alias changes
- Project visibility changes (private to public)
- Team membership modifications
- Bulk data export operations
References
- W&B Security Documentation -- Official security guidance
- W&B Server Deployment -- Self-hosted deployment documentation
- W&B Audit Logs -- Enterprise audit logging
An attacker finds a W&B API key in a public GitHub repository. What is the scope of access this key provides?