CVE-2025-15379
published 2026-03-30CVE-2025-15379: A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()`…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.99%
78.2th percentile
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | 3.8.0 – 3.8.1 | — |
| mlflow | mlflow_mlflow | >= 0 < 3.8.1 | 3.8.1 |
| mlflow | mlflow_mlflow | >= unspecified < 3.8.2 | 3.8.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor invocations of `_install_model_dependencies_to_env()` in MLflow model serving code, particularly when `env_manager=LOCAL` is set, for shell metacharacters or unexpected commands injected via python_env.yaml dependency strings. ↗
- →Flag MLflow model deployments using `env_manager=LOCAL` as a higher-risk configuration where command injection via crafted model artifacts is possible. ↗
- →Inspect `python_env.yaml` files within model artifacts for shell injection payloads (e.g., semicolons, backticks, `$()`, pipes) in dependency specification fields before deployment. ↗
- ·The vulnerability is only exploitable when MLflow model serving is configured with `env_manager=LOCAL`; other env_manager modes do not trigger the vulnerable code path. ↗
- ·Affected version is 3.8.0; the fix is present in version 3.8.2. Deployments running 3.8.0 should be prioritized for upgrade. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MLflow Command Injection vulnerability
osv·2026-03-30
CVE-2025-15379 [CRITICAL] MLflow Command Injection vulnerability
MLflow Command Injection vulnerability
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.1.
GHSA
MLflow Command Injection vulnerability
ghsa·2026-03-30
CVE-2025-15379 [CRITICAL] CWE-77 MLflow Command Injection vulnerability
MLflow Command Injection vulnerability
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.1.
Red Hat
mlflow: MLflow: Arbitrary command execution via command injection in model serving container initialization.
vendor_redhat·2026-03-30·CVSS 10.0
CVE-2025-15379 [CRITICAL] CWE-78 mlflow: MLflow: Arbitrary command execution via command injection in model serving container initialization.
mlflow: MLflow: Arbitrary command execution via command injection in model serving container initialization.
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.
A flaw was found in MLflow. When deploying a model with `env_manager=LOCAL`, MLflow's model serving cont
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-2635 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-2635 [CRITICAL] CVE-2026-2635 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2635 :
MLflow vulnerability analysis and mitigation
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.
Source : NVD
## 9.8
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
MLflow
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pr
Wiz
CVE-2026-2033 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-2033 [CRITICAL] CVE-2026-2033 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2033 :
MLflow vulnerability analysis and mitigation
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
MLflow
Has Public Exploit No
Has C
Wiz
CVE-2025-15381 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-15381 [CRITICAL] CVE-2025-15381 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15381 :
MLflow vulnerability analysis and mitigation
basic-auth
NO_PERMISSIONS
mlflow server --app-name=basic-auth
Source : NVD
## 8.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity HIGH No Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-33865 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33865 [CRITICAL] CVE-2026-33865 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33865 :
MLflow vulnerability analysis and mitigation
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim.
This issue affects MLflow version through 3.10.1
Source : NVD
## 5.1
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2026-33866 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33866 [CRITICAL] CVE-2026-33866 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33866 :
MLflow vulnerability analysis and mitigation
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access.
This issue affects MLflow version through 3.10.1
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity MEDIUM
Wiz
CVE-2025-15036 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-15036 [CRITICAL] CVE-2025-15036 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15036 :
MLflow vulnerability analysis and mitigation
extract_archive_to_dir
mlflow/pyfunc/dbconnect_artifact_cache.py
Source : NVD
## 9.6
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mlflow
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploi
Wiz
CVE-2025-14287 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-14287 [HIGH] CVE-2025-14287 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14287 :
MLflow vulnerability analysis and mitigation
mlflow/sagemaker/__init__.py
os.system()
--container
Source : NVD
## 7.5
Score
Published March 16, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mlflow
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publish
Wiz
CVE-2025-14279 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-14279 [HIGH] CVE-2025-14279 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14279 :
MLflow vulnerability analysis and mitigation
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.
Source : NVD
## 8.1
Score
Published January 12, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2025-10279 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-10279 [HIGH] CVE-2025-10279 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-10279 :
MLflow vulnerability analysis and mitigation
/tmp
.py
Source : NVD
## 7
Score
Published February 2, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
MLflow
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mlflow
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2025-15379
CRITICAL
10
MLflow
Wiz
CVE-2025-15379 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-15379 [CRITICAL] CVE-2025-15379 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15379 :
MLflow vulnerability analysis and mitigation
_install_model_dependencies_to_env()
env_manager=LOCAL
python_env.yaml
Source : NVD
## 10
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 46.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
mlflow
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV
Wiz
CVE-2026-0545 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-0545 [CRITICAL] CVE-2026-0545 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0545 :
MLflow vulnerability analysis and mitigation
/ajax-api/3.0/jobs/*
basic-auth
MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true
Source : NVD
## 9.1
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
MLflow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 42.1
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
mlflow
Sources
NVD
pip Severity CRITICAL No Fix Added at: Apr 07, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related MLflow vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV e
https://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05ehttps://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75https://access.redhat.com/security/cve/CVE-2025-15379https://bugzilla.redhat.com/show_bug.cgi?id=2452949https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-15379.json
2026-03-30
Published