CVE-2026-0596
Received Received - Intake
Command Injection in mlflow Model Serving Enables Privilege Escalation

Publication date: 2026-03-31

Last updated on: 2026-04-14

Assigner: huntr.dev

Description
A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0596
EUVD
EUVD-2026-17415
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lfprojects mlflow *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, avoid serving models with the `enable_mlserver=True` option until a fix is applied.

Ensure that the `model_uri` does not contain shell metacharacters such as `$()` or backticks to prevent command injection.

Restrict write permissions on directories from which models are served, especially preventing lower-privileged users from writing to directories used by higher-privileged services.

Monitor for updates or patches from the mlflow/mlflow project and apply them promptly.

Executive Summary

This vulnerability is a command injection issue in mlflow/mlflow when serving a model with the option `enable_mlserver=True`. The problem arises because the `model_uri` is directly embedded into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters like `$()` or backticks, it can lead to command substitution, allowing an attacker to execute arbitrary commands.

This means that an attacker can inject malicious commands through the `model_uri` parameter, potentially gaining unauthorized control over the system.

Impact Analysis

This vulnerability can have severe impacts including privilege escalation. If a higher-privileged service serves models from a directory writable by lower-privileged users, an attacker can exploit this flaw to execute commands with elevated privileges.

The CVSS score of 9.6 indicates a critical severity, meaning it can lead to complete compromise of confidentiality, integrity, and availability of the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0596. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart