CVE-2026-0596
Received Received - Intake
Command Injection in mlflow Model Serving Enables Privilege Escalation

Publication date: 2026-03-31

Last updated on: 2026-04-14

Assigner: huntr.dev

Description
A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0596
EUVD
EUVD-2026-17415
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lfprojects mlflow *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection issue in mlflow/mlflow when serving a model with the option `enable_mlserver=True`. The problem arises because the `model_uri` is directly embedded into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters like `$()` or backticks, it can lead to command substitution, allowing an attacker to execute arbitrary commands.

This means that an attacker can inject malicious commands through the `model_uri` parameter, potentially gaining unauthorized control over the system.

Impact Analysis

This vulnerability can have severe impacts including privilege escalation. If a higher-privileged service serves models from a directory writable by lower-privileged users, an attacker can exploit this flaw to execute commands with elevated privileges.

The CVSS score of 9.6 indicates a critical severity, meaning it can lead to complete compromise of confidentiality, integrity, and availability of the affected system.

Mitigation Strategies

To mitigate this vulnerability, avoid serving models with the `enable_mlserver=True` option until a fix is applied.

Ensure that the `model_uri` does not contain shell metacharacters such as `$()` or backticks to prevent command injection.

Restrict write permissions on directories from which models are served, especially preventing lower-privileged users from writing to directories used by higher-privileged services.

Monitor for updates or patches from the mlflow/mlflow project and apply them promptly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0596. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart