Description
A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.
Published: 2026-03-31
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Patch Immediately
AI Analysis

Impact

A command injection flaw occurs in the mlflow model serving component when the enable_mlserver option is enabled. The framework builds a shell command by directly inserting the model URI into a bash invocation. If the supplied URI contains shell metacharacters such as $() or backticks, the shell will execute them. This defect can allow an attacker to run arbitrary commands on the machine that hosts the mlflow service, potentially elevating privileges if the service runs with higher rights and accesses a directory that attackers can write to.

Affected Systems

The vulnerability affects the mlflow open‑source framework, specifically the mlflow/mlflow package. No exact version number is stated, but the description notes that the flaw exists in the latest official release. The issue is tied to deployments that enable the optional mlserver interface.

Risk and Exploitability

The CVSS score of 7.8 reflects a high severity, while the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote attacker who can influence the value of model_uri, for example by uploading or modifying a model file that the serving process reads. Successful exploitation requires that the attacker be able to set or alter the model_uri value; the exploit does not grant arbitrary remote code execution without such influence.

Generated by OpenCVE AI on April 14, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the newest patched release of mlflow as soon as it becomes available
  • Disable the enable_mlserver option if it is not needed for your deployment
  • Restrict write permissions on the directory from which models are served so that lower‑privileged users cannot modify the model_uri
  • Sanitize or validate all model_uri values before they are incorporated into shell commands
  • Run the mlflow serving process with the minimum privileges necessary

Generated by OpenCVE AI on April 14, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rvhj-8chj-8v3c Mflow: Command Injection when serving models with enable_mlserver=True
History

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:-:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow
Vendors & Products Mlflow
Mlflow mlflow

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.
Title Command Injection in mlflow/mlflow
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 9.6, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-04-01T03:55:35.518Z

Reserved: 2026-01-05T03:58:44.787Z

Link: CVE-2026-0596

cve-icon Vulnrichment

Updated: 2026-03-31T17:19:26.568Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:10.843

Modified: 2026-04-14T16:01:29.660

Link: CVE-2026-0596

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses