Description
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.
Published: 2026-03-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows an attacker to execute arbitrary shell commands within the MLflow process. It occurs in versions of mlflow before 3.7.0 where the CLI parameter --container is directly inserted into a shell command via os.system without sanitization. The flaw is a classic command injection (CWE‑78, CWE‑94). If exploited, the attacker could compromise confidentiality, integrity, and availability of the system and potentially access sensitive data or disrupt services.

Affected Systems

The issue is present in the mlflow/mlflow open‑source project, affecting any deployment that includes the mlflow version earlier than 3.7.0. Users running MLflow in development machines, CI/CD pipelines, or cloud services should verify their installed version and apply updates if necessary. The file mlflow/sagemaker/__init__.py is where the injection occurs, impacting any environment that uses the sagemaker integration and accepts the --container parameter.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score below 1% suggests low current exploitation probability, though the risk remains significant. The vulnerability is not listed in CISA's KEV catalog. Exploitation would follow an attack path where a privileged user or an attacker with access to the MLflow CLI supplies a malicious value for --container. In environments where the CLI is exposed or accessible by untrusted users, the attack could be performed remotely. Mitigation requires patching or removing the vulnerable code path, as the issue stems from unsanitized user input.

Generated by OpenCVE AI on April 14, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mlflow to version 3.7.0 or later.
  • If the application does not require the --container feature, disable or remove its usage.
  • Apply input validation or sanitization on the container name before executing os.system, or replace os.system with a safer API.
  • Restrict access to the MLflow CLI or the underlying process to trusted users only.
  • Monitor logs for suspicious command execution and review CI/CD pipelines for unpatched instances.

Generated by OpenCVE AI on April 14, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xch3-2f9x-wh9f MLflow has a command injection in mlflow/sagemaker/__init__.py
History

Tue, 14 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:*:-:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 17 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow
Vendors & Products Mlflow
Mlflow mlflow

Sun, 15 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.
Title Command Injection in mlflow/mlflow
Weaknesses CWE-94
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-03-17T12:44:13.631Z

Reserved: 2025-12-08T19:06:12.739Z

Link: CVE-2025-14287

cve-icon Vulnrichment

Updated: 2026-03-17T12:44:10.328Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:55.610

Modified: 2026-04-14T16:48:14.020

Link: CVE-2025-14287

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-15T09:27:36Z

Links: CVE-2025-14287 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses