CRITICAL🇵🇱 Wersja polska

CVE-2025-15379

CVSS 9.8v3.1pub. 2026-03-30upd. 2026-06-30

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.

🤖 AI Analysis
How it works

When deploying a model with the `env_manager=LOCAL` parameter, MLflow reads dependency specifications from the `python_env.yaml` file contained in the model artifact. The read values are then directly inserted into a shell command without any sanitization or input validation. An attacker can place maliciously crafted values containing shell control sequences in the `python_env.yaml` file, leading to the execution of arbitrary commands in the context of the system running the model.

Impact

An attacker can achieve full execution of arbitrary commands (RCE) on the system deploying the model, which can result in server takeover, data theft, environment integrity violation, or further lateral movement in the network.

Mitigation & patch

MLflow should be updated to version 3.8.2, where the vulnerability has been fixed. Until the update is applied, avoid deploying models from untrusted sources and restrict the ability to use the `env_manager=LOCAL` parameter in production environments.

Who is affected

MLflow version 3.8.0 (vendor: Lfprojects)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lfprojects Mlflow

    APP
    Lfprojects
    3.8.0 – 3.8.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
ContainerCommand Injection
CWE
References

Related vulnerabilities

CVE-2026-2651CRITICAL9.0PL ✓ten sam produkt

MLflow: nieautoryzowany dostęp do endpointów multipart upload (RCE)

CVE-2026-2611CRITICAL9.6PL ✓ten sam produkt

MLflow: nieprawidłowa walidacja origin umożliwia RCE przez cross-origin request

CVE-2026-0545CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia w endpointach FastAPI jobs w MLflow (Auth Bypass / RCE)

CVE-2025-15036CRITICAL10.0PL ✓ten sam produkt

Path traversal w MLflow — nadpisanie plików i eskalacja uprawnień

CVE-2025-15031CRITICAL9.1PL ✓ten sam produkt

MLflow: path traversal w ekstrakcji archiwów tar umożliwia RCE