Skip to main content

Mlflow Mlflow CVE-2025-14287

| EUVDEUVD-2025-208671 HIGH
Code Injection (CWE-94)
2026-03-15 @huntr_ai GHSA-xch3-2f9x-wh9f
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
7.8 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 14, 2026 - 16:52 NVD
7.5 (HIGH) 8.8 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 10:00 euvd
EUVD-2025-208671
Analysis Generated
Mar 15, 2026 - 10:00 vuln.today
CVE Published
Mar 15, 2026 - 09:27 nvd
HIGH 7.5

DescriptionNVD

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the mlflow/sagemaker/__init__.py file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using os.system(). This allows attackers to execute arbitrary commands by supplying malicious input through the --container parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.

AnalysisAI

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.

Technical ContextAI

The vulnerability exists in the mlflow/sagemaker/__init__.py file where user-supplied container image names are directly interpolated into shell commands and executed via os.system() without proper sanitization. Based on the CPE identifier (cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*), all MLflow versions prior to v3.7.0 are affected. This is classified as CWE-94 (Improper Control of Generation of Code), a dangerous weakness class that allows attackers to inject and execute arbitrary code through unsanitized input that gets interpreted as code rather than data.

RemediationAI

Upgrade to MLflow version 3.7.0 or later which contains the fix for this vulnerability. No specific vendor advisory is linked in the references beyond the HuntrAI bounty report. As a workaround, organizations should validate and sanitize any user-supplied container image names before passing them to MLflow's SageMaker deployment functions, or restrict access to the MLflow SageMaker deployment functionality to trusted users only.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

CVE-2025-15381 HIGH
7.1 Mar 27

MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated

Vendor StatusVendor

Share

CVE-2025-14287 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy