MLflow hat eine Command Injection in mlflow/sagemaker/__init__.py

The vulnerability resides in the mlflow/sagemaker/init.py file, specifically where user-supplied container image names are directly interpolated into shell commands without proper sanitization. An attacker can leverage this by crafting a malicious container image name containing shell commands. When this malicious name is passed through the --container parameter of the MLflow CLI, the injected commands will be executed with the privileges of the MLflow process. This could lead to complete system compromise, data exfiltration, or disruption of MLflow operations. The blast radius extends to any environment where MLflow is deployed, including development environments, CI/CD pipelines, and cloud-based machine learning platforms.

Organizations heavily reliant on MLflow for machine learning model management, particularly those using it in CI/CD pipelines or cloud deployments, are at significant risk. Shared hosting environments where multiple users have access to the MLflow CLI are also vulnerable, as an attacker could potentially exploit the vulnerability on behalf of another user.

• python / mlflow:

import subprocess
import os

def check_mlflow_version():
    try:
        result = subprocess.check_output(['mlflow', '--version'], stderr=subprocess.STDOUT)
        version = result.decode('utf-8').strip()
        if version <= '3.7.0rc0':
            print(f"MLflow version is vulnerable: {version}")
        else:
            print(f"MLflow version is not vulnerable: {version}")
    except FileNotFoundError:
        print("MLflow is not installed.")
check_mlflow_version()

• generic web: Check for suspicious container image names being passed to MLflow CLI via command-line arguments or environment variables. Monitor access logs for unusual activity related to MLflow.

1. 2026-03-16Disclosure

   disclosure

1. Reserviert2025-12-08
2. Veröffentlicht2026-03-16
3. Geändert2026-03-17
4. EPSS aktualisiert2026-03-23

The primary mitigation is to upgrade MLflow to version 3.8.0rc0 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation on the --container parameter to sanitize user-provided values. This could involve whitelisting allowed characters or rejecting inputs containing potentially malicious shell metacharacters. Furthermore, restrict the permissions of the MLflow process to minimize the impact of a successful command injection attack. After upgrading, verify the fix by attempting to execute a command through the --container parameter with a known malicious payload and confirming that it is properly sanitized and does not execute.