CVE-2026-0596
Published: 31 March 2026
Summary
CVE-2026-0596 is a high-severity OS Command Injection (CWE-78) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 32.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-0596 is a command injection vulnerability in the latest version of mlflow/mlflow. It arises when serving a model with the `enable_mlserver=True` option, where the `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters such as `$()` or backticks, attackers can perform command substitution, enabling execution of arbitrary attacker-controlled commands.
The vulnerability carries a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). A local low-privileged attacker can exploit it by controlling the `model_uri`, such as placing a malicious model in a writable directory. If a higher-privileged service serves models from that directory, the attacker can achieve command execution, potentially leading to privilege escalation with high impact on confidentiality, integrity, and availability.
Mitigation details are available in the Huntr advisory at https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17415
Vulnerability details
A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks,…
more
it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mlflow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct OS command injection via unsanitized model_uri in bash -c enables Unix shell command execution (T1059.004) and local privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates input validation mechanisms that directly prevent command injection by sanitizing the model_uri before embedding it in bash -c commands.
SI-2 requires timely flaw remediation, addressing the specific command injection vulnerability in mlflow by applying vendor patches.
AC-6 enforces least privilege on the higher-privileged MLflow service, limiting the scope and impact of privilege escalation from injected commands.