Skip to main content

Mlflow Mlflow CVE-2026-0596

| EUVDEUVD-2026-17415 HIGH
OS Command Injection (CWE-78)
2026-03-31 @huntr_ai GHSA-rvhj-8chj-8v3c
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Severity Changed
Apr 14, 2026 - 16:07 NVD
CRITICAL HIGH
CVSS changed
Apr 14, 2026 - 16:07 NVD
9.6 (CRITICAL) 7.8 (HIGH)
Patch released
Apr 04, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 15:01 euvd
EUVD-2026-17415
Analysis Generated
Mar 31, 2026 - 15:01 vuln.today
CVE Published
Mar 31, 2026 - 14:25 nvd
CRITICAL 9.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on mlflow (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.9.0.

DescriptionCVE.org

A command injection vulnerability exists in mlflow/mlflow when serving a model with enable_mlserver=True. The model_uri is embedded directly into a shell command executed via bash -c without proper sanitization. If the model_uri contains shell metacharacters, such as $() or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.

AnalysisAI

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrary commands when models are served with enable_mlserver=True. Unsanitized model_uri parameters embedded in bash -c commands enable shell metacharacter exploitation (command substitution via $() or backticks). With CVSS 9.6 (Critical) and adjacent network attack vector, this poses significant risk in multi-tenant MLOps environments where lower-privileged users can control model URIs served by higher-privileged services. No public exploit code identified at time of analysis, with EPSS data not yet available for this recent CVE.

Technical ContextAI

MLflow is an open-source platform for managing machine learning lifecycle, including model serving capabilities. When MLServer integration is enabled via the enable_mlserver parameter, MLflow constructs shell commands to invoke model serving processes. The vulnerability (CWE-78: OS Command Injection) occurs because the model_uri parameter-which specifies the location of ML models to serve-is directly interpolated into bash -c command strings without input validation or sanitization. Shell metacharacters in the model_uri ($(), backticks, semicolons, pipes) are interpreted by the bash shell, enabling arbitrary command execution. The affected product is identified as mlflow/mlflow (CPE: cpe:2.3:a:mlflow:mlflow/mlflow), with all versions vulnerable according to available data. This reflects a fundamental input validation failure in the MLServer serving code path.

RemediationAI

Organizations using MLflow with MLServer integration should immediately review and restrict model_uri input sources to trusted, validated paths only. Implement input validation to reject or sanitize shell metacharacters in model_uri parameters before processing. As an immediate mitigation, disable enable_mlserver=True if MLServer functionality is not required for production operations. Apply network segmentation to restrict adjacent network access to MLflow serving infrastructure to authorized users and systems only. Monitor the official MLflow GitHub repository and security advisories at https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285 for vendor-released patches addressing this vulnerability. Implement principle of least privilege for MLflow service accounts to limit privilege escalation impact. Audit existing model serving configurations to identify potentially exploitable model_uri values and review logs for suspicious command patterns. Until patches are available, consider alternative model serving approaches that do not involve MLServer or implement wrapper scripts with strict input validation.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2025-15379 CRITICAL
9.8 Mar 30

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

CVE-2025-15381 HIGH
7.1 Mar 27

MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated

Share

CVE-2026-0596 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy