CVE-2026-0596
Published: 31 March 2026
Summary
CVE-2026-0596 is a high-severity OS Command Injection (CWE-78) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates input validation mechanisms that directly prevent command injection by sanitizing the model_uri before embedding it in bash -c commands.
SI-2 requires timely flaw remediation, addressing the specific command injection vulnerability in mlflow by applying vendor patches.
AC-6 enforces least privilege on the higher-privileged MLflow service, limiting the scope and impact of privilege escalation from injected commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct OS command injection via unsanitized model_uri in bash -c enables Unix shell command execution (T1059.004) and local privilege escalation (T1068).
NVD Description
A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks,…
more
it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.
Deeper analysisAI
CVE-2026-0596 is a command injection vulnerability in the latest version of mlflow/mlflow. It arises when serving a model with the `enable_mlserver=True` option, where the `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters such as `$()` or backticks, attackers can perform command substitution, enabling execution of arbitrary attacker-controlled commands.
The vulnerability carries a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). A local low-privileged attacker can exploit it by controlling the `model_uri`, such as placing a malicious model in a writable directory. If a higher-privileged service serves models from that directory, the attacker can achieve command execution, potentially leading to privilege escalation with high impact on confidentiality, integrity, and availability.
Mitigation details are available in the Huntr advisory at https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285.
Details
- CWE(s)