Cyber Resilience

CVE-2025-14287

HighPublic PoCRCEUpdated

Published: 16 March 2026

Published
16 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0124 65.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-14287 is a high-severity Code Injection (CWE-94) vulnerability in Lfprojects Mlflow. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 34.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-14287 is a command injection vulnerability in mlflow/mlflow versions before v3.7.0, located in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The flaw occurs due to the direct interpolation of user-supplied container image names into shell commands without sanitization, followed by execution via `os.system()`. Attackers can exploit this by providing malicious input through the `--container` parameter of the MLflow CLI, impacting environments such as development setups, CI/CD pipelines, and cloud deployments where MLflow is used for machine learning workflows.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-94 (Improper Control of Generation of Code). Exploitation requires network access with low complexity and no privileges, but user interaction is needed, such as tricking a legitimate user into running the affected CLI command with a crafted `--container` argument. Successful exploitation enables arbitrary command execution on the host system, potentially leading to high confidentiality, integrity, and availability impacts.

Mitigation involves upgrading to mlflow/mlflow version v3.7.0 or later, where the issue is addressed. Additional details are available in the Huntr advisory at https://huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3.

This vulnerability is particularly relevant to AI/ML practitioners, as MLflow is a widely used open-source platform for managing machine learning lifecycles, and exploitation could compromise sensitive training data or models in affected deployments. No public information on real-world exploitation is available as of the CVE publication on 2026-03-16.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed…

more

using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.

CWE(s)

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mlflow, sagemaker

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability is a command injection flaw via unsanitized user input to os.system() in the MLflow CLI, directly enabling arbitrary Unix shell command execution (T1059.004) in SageMaker/Linux contexts and exploitation for client-side code execution (T1203) by tricking users into running crafted CLI commands.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0596Same product: Lfprojects Mlflow
CVE-2024-8859Same product: Lfprojects Mlflow
CVE-2025-15031Same product: Lfprojects Mlflow
CVE-2026-4035Same product: Lfprojects Mlflow
CVE-2026-0545Same product: Lfprojects Mlflow
CVE-2025-1473Same product: Lfprojects Mlflow
CVE-2025-11201Same product: Lfprojects Mlflow
CVE-2026-2652Same product: Lfprojects Mlflow
CVE-2025-0453Same product: Lfprojects Mlflow
CVE-2025-11200Same product: Lfprojects Mlflow

Affected Assets

lfprojects
mlflow
≤ 3.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of user-supplied inputs such as container image names to prevent command injection via unsanitized interpolation into os.system shell commands.

prevent

Requires timely identification, testing, and application of flaw remediation such as upgrading MLflow to v3.7.0 or later to fix the vulnerability.

detect

Enables monitoring for indicators of command injection exploitation, such as anomalous shell command executions in MLflow CLI usage across dev, CI/CD, and cloud environments.

References