[GHSA-rvhj-8chj-8v3c] A command injection vulnerability exists in mlflow/mlflow...#7273
Conversation
github-actions
bot
changed the base branch from
main
to
ConnorCallison/advisory-improvement-7273
There was a problem hiding this comment.
Pull request overview
Updates the unreviewed GHSA record for CVE-2026-0596 to more explicitly map the vulnerability to the affected PyPI package and improve discoverability for downstream tooling that relies on OSV-style metadata.
Changes:
- Add an advisory
summarydescribing the command injection condition and context (enable_mlserver=True). - Populate
affectedwith a PyPI package entry formlflowand an ecosystem range up to3.1.4. - Add a
PACKAGEreference pointing to the upstreammlflow/mlflowrepository.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Hi @ConnorCallison, Thank you for your interest in improving the Advisory Database. The mflow in PyPi appears to be from ukiyo-dev/Mflow, not mlflow/mlflow. I cannot find a PyPi package for mlflow/mlflow. |
|
Hi @JonathanLEvans — I believe there may be a mix-up. The PyPI package mlflow (two L's) is the official package from mlflow/mlflow, maintained by Databricks. The package mflow (one L) from ukiyo-dev is a different, unrelated project. Here's the evidence that this advisory correctly maps to mlflow on PyPI:
The CVE-2026-0596 description states: "A command injection vulnerability exists in mlflow/mlflow
The PyPI project page lists:
The file mlflow/pyfunc/backend.py contains the exact pattern described in the CVE — model_uri flows into a command passed to ["bash", "-c", command] via subprocess.Popen when enable_mlserver=True (see around line 315).
The last commit to the vulnerable file was Feb 7, 2026 (an unrelated docstring change), and no reviewed GHSA exists for this CVE yet. |
|
I stand corrected, thank you. The huntr reference says that mlflow/mlflow#19738 addresses the issue and the commit for the pull request was added in 3.9.0. Are you saying that the commit does not fix the vulnerability? |
|
Good catch — you're right. mlflow/mlflow#19738 ("Fix Command Injection in model serving") fixes the vulnerability by adding Updated fields:
And two additional references: |
|
Updated the advisory per the discussion above. Changes:
Full updated JSON (click to expand){
"schema_version": "1.4.0",
"id": "GHSA-rvhj-8chj-8v3c",
"modified": "2026-04-01T22:00:00Z",
"published": "2026-03-31T15:31:56Z",
"aliases": [
"CVE-2026-0596"
],
"summary": "Command injection in mlflow when serving models with enable_mlserver=True",
"details": "A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mlflow"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.0"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0596"
},
{
"type": "PACKAGE",
"url": "https://github.com/mlflow/mlflow"
},
{
"type": "WEB",
"url": "https://github.com/mlflow/mlflow/pull/19738"
},
{
"type": "WEB",
"url": "https://github.com/mlflow/mlflow/commit/202fac4c83ccc8544c087c142b80196d0e60695c"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/2e905add-f9f5-4309-a3db-b17de5981285"
}
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"severity": "CRITICAL",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-31T15:16:10Z"
}
}I cannot push directly to this branch (GitHub advisory-database permissions). Applying via the web editor now. |
advisory-database
bot
merged commit 94c7677
into
ConnorCallison/advisory-improvement-7273
|
Hi @ConnorCallison! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
Adding affected package mapping. CVE-2026-0596 describes a command injection in the mlflow Python package (PyPI: mlflow) when serving models with enable_mlserver=True. The vulnerability is in the model serving code path where model_uri is passed unsanitized to bash -c. The CVE description explicitly names mlflow/mlflow as the affected project. No patched version has been published as of mlflow 3.1.4.