Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6Blast Radius
ecosystem impact- 4 pypi packages depend on mlflow (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.9.0.
DescriptionCVE.org
A command injection vulnerability exists in mlflow/mlflow when serving a model with enable_mlserver=True. The model_uri is embedded directly into a shell command executed via bash -c without proper sanitization. If the model_uri contains shell metacharacters, such as $() or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.
AnalysisAI
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrary commands when models are served with enable_mlserver=True. Unsanitized model_uri parameters embedded in bash -c commands enable shell metacharacter exploitation (command substitution via $() or backticks). With CVSS 9.6 (Critical) and adjacent network attack vector, this poses significant risk in multi-tenant MLOps environments where lower-privileged users can control model URIs served by higher-privileged services. No public exploit code identified at time of analysis, with EPSS data not yet available for this recent CVE.
Technical ContextAI
MLflow is an open-source platform for managing machine learning lifecycle, including model serving capabilities. When MLServer integration is enabled via the enable_mlserver parameter, MLflow constructs shell commands to invoke model serving processes. The vulnerability (CWE-78: OS Command Injection) occurs because the model_uri parameter-which specifies the location of ML models to serve-is directly interpolated into bash -c command strings without input validation or sanitization. Shell metacharacters in the model_uri ($(), backticks, semicolons, pipes) are interpreted by the bash shell, enabling arbitrary command execution. The affected product is identified as mlflow/mlflow (CPE: cpe:2.3:a:mlflow:mlflow/mlflow), with all versions vulnerable according to available data. This reflects a fundamental input validation failure in the MLServer serving code path.
RemediationAI
Organizations using MLflow with MLServer integration should immediately review and restrict model_uri input sources to trusted, validated paths only. Implement input validation to reject or sanitize shell metacharacters in model_uri parameters before processing. As an immediate mitigation, disable enable_mlserver=True if MLServer functionality is not required for production operations. Apply network segmentation to restrict adjacent network access to MLflow serving infrastructure to authorized users and systems only. Monitor the official MLflow GitHub repository and security advisories at https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285 for vendor-released patches addressing this vulnerability. Implement principle of least privilege for MLflow service accounts to limit privilege escalation impact. Audit existing model serving configurations to identify potentially exploitable model_uri values and review logs for suspicious command patterns. Until patches are available, consider alternative model serving approaches that do not involve MLServer or implement wrapper scripts with strict input validation.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17415
GHSA-rvhj-8chj-8v3c