CVE-2026-0596 - Vulnerability Details

Description

A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.

Published: 2026-03-31

Score: 9.6 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

mlflow/mLflow will embed the supplied model_uri directly into a bash command executed via bash -c when the enable_mlserver option is enabled. Because the input is never sanitized, model_uri values that contain shell metacharacters such as $() or backticks trigger command substitution and allow an attacker to run arbitrary shell code. The vulnerability can lead to complete loss of confidentiality, integrity, and availability of the system, and if the application runs with elevated privileges and serves models from a directory writable by lower‑privileged users, it can result in privilege escalation.

Affected Systems

The issue is present in the latest version of mlflow/mLflow. The affected vendor is mlflow and the product is mlflow. No specific version range is provided, so all builds after the introduction of enable_mlserver are potentially impacted.

Risk and Exploitability

With a CVSS score of 9.6, the vulnerability is considered critical. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker who can influence the model_uri parameter, such as through the API, can execute arbitrary shell commands. The attack vector is remote, and the potential impact includes arbitrary code execution and elevation of process privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mlflow

mlflow/mlflow

affected

Version	Status	Constraints
`unspecified`	affected	≤ latest

No data.

Vendor Product Confidence Versions

Mlflow

100%

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest official patch or upgrade mlflow/mLflow to a version that sanitizes model_uri input.
If an upgrade is not immediately possible, disable the enable_mlserver option or restrict its use to trusted environments.
Ensure that the directory containing model files is owned by a privileged account and is not writable by lower‑privileged users.

Generated by OpenCVE AI on March 31, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285

History

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mlflow Mlflow mlflow
Vendors & Products		Mlflow Mlflow mlflow

Tue, 31 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.
Title		Command Injection in mlflow/mlflow
Weaknesses		CWE-78
References		https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285
Metrics		cvssV3_0 `{'score': 9.6, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Mlflow Mlflow

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2026-03-31T14:25:27.716Z

Updated: 2026-04-01T03:55:35.518Z

Reserved: 2026-01-05T03:58:44.787Z

Link: CVE-2026-0596

Vulnrichment

Updated: 2026-03-31T17:19:26.568Z

NVD

Status : Received

Published: 2026-03-31T15:16:10.843

Modified: 2026-03-31T15:16:10.843

Link: CVE-2026-0596

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-31T20:38:18Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object