Description
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.
Published: 2026-03-30
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Command Execution
Action: Immediate Patch
AI Analysis

Impact

MLflow’s model serving initialization performs shell command construction by reading dependency lists from a model artifact’s python_env.yaml file without sanitization. This creates a command injection flaw that allows attackers to include malicious text in the yaml and cause the MLflow service to execute arbitrary shell commands. The weakness is classified as OS Command Injection (CWE-77) and Command Injection (CWE-78), and can compromise the host on which the model is served, enabling attackers to gain full control of the machine.

Affected Systems

Version 3.8.0 of the open-source MLflow project (mlflow:mlflow/mlflow) is affected. The fix was introduced in version 3.8.2. The issue arises when a model is deployed with the default LOCAL environment manager and does not involve other external packages.

Risk and Exploitability

An attacker can exploit this by uploading a crafted python_env.yaml in a model artifact and deploying it to a server running MLflow with the local environment manager. Because the payload runs in the same shell context as the MLflow service, the attack only requires permission to upload a model artifact. The CVSS v3.1 base score of 9.8 signals complete privilege escalation, while the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, but that does not change the severity of the flaw.

Generated by OpenCVE AI on April 29, 2026 at 00:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MLflow to version 3.8.2 or later
  • If an upgrade cannot be performed immediately, restrict the env_manager to a secure mode or limit deployment to trusted users only
  • Audit all model artifacts for malicious python_env.yaml entries and remove or sanitize any that pose a risk
  • Implement a peer‑review or automated linting process to prevent injection payloads from entering the artifact repository

Generated by OpenCVE AI on April 29, 2026 at 00:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r23q-823p-vmf7 MLflow Command Injection vulnerability
History

Tue, 28 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow
Weaknesses CWE-78
Vendors & Products Mlflow
Mlflow mlflow
References
Metrics threat_severity

None

 cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Critical

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.
Title Command Injection in mlflow/mlflow
Weaknesses CWE-77
References
Metrics cvssV3_0

{'score': 10, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-03-31T13:50:57.378Z

Reserved: 2025-12-30T21:24:21.058Z

Link: CVE-2025-15379

cve-icon Vulnrichment

Updated: 2026-03-30T13:34:44.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T08:16:15.667

Modified: 2026-04-28T14:26:00.520

Link: CVE-2025-15379

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-30T07:16:57Z

Links: CVE-2025-15379 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:45:26Z

Weaknesses