{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0596", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2026-01-05T03:58:44.787Z", "datePublished": "2026-03-31T14:25:27.716Z", "dateUpdated": "2026-04-01T03:55:35.518Z"}, "containers": {"cna": {"title": "Command Injection in mlflow/mlflow", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-31T14:25:27.716Z"}, "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users."}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command", "cweId": "CWE-78"}]}], "source": {"advisory": "2e905add-f9f5-4309-a3db-b17de5981285", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-0596"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T03:55:35.518Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0596", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T17:19:22.123778Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:19:26.568Z"}}], "cna": {"title": "Command Injection in mlflow/mlflow", "source": {"advisory": "2e905add-f9f5-4309-a3db-b17de5981285", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285"}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-31T14:25:27.716Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0596", "state": "PUBLISHED", "dateUpdated": "2026-04-01T03:55:35.518Z", "dateReserved": "2026-01-05T03:58:44.787Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-03-31T14:25:27.716Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:mlflow:-:*:*:*:*:*:*:*", "matchCriteriaId": "F18F1880-033C-4E18-913C-6C5356427ABB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users."}], "id": "CVE-2026-0596", "lastModified": "2026-04-14T16:01:29.660", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T15:16:10.843", "references": [{"source": "security@huntr.dev", "tags": ["Third Party Advisory", "Exploit"], "url": "https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@huntr.dev", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "mlflow/mlflow", "source": "cna", "vendor": "mlflow"}, "product": "mlflow", "vendor": "mlflow"}], "analysis": {"en": {"generated_at": "2026-04-14T18:59:19.678265+00:00", "value": {"mitigation_remediation": ["Upgrade to the newest patched release of mlflow as soon as it becomes available", "Disable the enable_mlserver option if it is not needed for your deployment", "Restrict write permissions on the directory from which models are served so that lower\u2011privileged users cannot modify the model_uri", "Sanitize or validate all model_uri values before they are incorporated into shell commands", "Run the mlflow serving process with the minimum privileges necessary"], "summary": {"action": "Patch Immediately", "impact": "Command Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the mlflow open\u2011source framework, specifically the mlflow/mlflow package. No exact version number is stated, but the description notes that the flaw exists in the latest official release. The issue is tied to deployments that enable the optional mlserver interface.", "description_and_impact": "A command injection flaw occurs in the mlflow model serving component when the enable_mlserver option is enabled. The framework builds a shell command by directly inserting the model URI into a bash invocation. If the supplied URI contains shell metacharacters such as $() or backticks, the shell will execute them. This defect can allow an attacker to run arbitrary commands on the machine that hosts the mlflow service, potentially elevating privileges if the service runs with higher rights and accesses a directory that attackers can write to.", "risk_and_exploitability": "The CVSS score of 7.8 reflects a high severity, while the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote attacker who can influence the value of model_uri, for example by uploading or modifying a model file that the serving process reads. Successful exploitation requires that the attacker be able to set or alter the model_uri value; the exploit does not grant arbitrary remote code execution without such influence."}}}}, "created": "2026-03-31T19:54:22.984108+00:00", "updated": "2026-04-15T16:45:09.776395+00:00", "vendors": ["mlflow", "mlflow$PRODUCT$mlflow"]}