[GHSA-rvhj-8chj-8v3c] A command injection vulnerability exists in mlflow/mlflow...

[ConnorCallison]

Updates

• Affected products
• Source code location
• Summary

Comments
Adding affected package mapping. CVE-2026-0596 describes a command injection in the mlflow Python package (PyPI: mlflow) when serving models with enable_mlserver=True. The vulnerability is in the model serving code path where model_uri is passed unsanitized to bash -c. The CVE description explicitly names mlflow/mlflow as the affected project. No patched version has been published as of mlflow 3.1.4.

[Copilot]

Pull request overview

Updates the unreviewed GHSA record for CVE-2026-0596 to more explicitly map the vulnerability to the affected PyPI package and improve discoverability for downstream tooling that relies on OSV-style metadata.

Changes:

• Add an advisory summary describing the command injection condition and context (enable_mlserver=True).
• Populate affected with a PyPI package entry for mlflow and an ecosystem range up to 3.1.4.
• Add a PACKAGE reference pointing to the upstream mlflow/mlflow repository.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JonathanLEvans]

Hi @ConnorCallison,

Thank you for your interest in improving the Advisory Database. The mflow in PyPi appears to be from ukiyo-dev/Mflow, not mlflow/mlflow. I cannot find a PyPi package for mlflow/mlflow.

[ConnorCallison]

Hi @JonathanLEvans — I believe there may be a mix-up. The PyPI package mlflow (two L's) is the official package from mlflow/mlflow, maintained by Databricks. The package mflow (one L) from ukiyo-dev is a different, unrelated project.

Here's the evidence that this advisory correctly maps to mlflow on PyPI:

1. The CVE explicitly names mlflow/mlflow

The CVE-2026-0596 description states: "A command injection vulnerability exists in mlflow/mlflow
when serving a model with enable_mlserver=True." The source is security@huntr.dev.

2. The PyPI package mlflow is from mlflow/mlflow

The PyPI project page lists:

• Repository: https://github.com/mlflow/mlflow
• Homepage: https://mlflow.org
• Maintainer: Databricks (mlflow-oss-maintainers@googlegroups.com)
• License: Apache 2.0 (Copyright 2018 Databricks, Inc.)

3. The vulnerable code pattern exists in the mlflow package

The file mlflow/pyfunc/backend.py contains the exact pattern described in the CVE — model_uri flows into a command passed to ["bash", "-c", command] via subprocess.Popen when enable_mlserver=True (see around line 315).

4. No fix has been published

The last commit to the vulnerable file was Feb 7, 2026 (an unrelated docstring change), and no reviewed GHSA exists for this CVE yet.

[JonathanLEvans]

I stand corrected, thank you. The huntr reference says that mlflow/mlflow#19738 addresses the issue and the commit for the pull request was added in 3.9.0. Are you saying that the commit does not fix the vulnerability?

[ConnorCallison]

Good catch! thank you for digging that up. You're right, mlflow/mlflow#19738 fixes the vulnerability by adding shlex.quote(model_uri) in mlflow/pyfunc/mlserver.py. That was merged Jan 5, 2026. I'll update the affected versions to < 3.9.0 and patched version to 3.9.0

[ConnorCallison]

Good catch — you're right. mlflow/mlflow#19738 ("Fix Command Injection in model serving") fixes the vulnerability by adding shlex.quote(model_uri) in mlflow/pyfunc/mlserver.py. The fix was merged Jan 5, 2026, and commit 202fac4 first shipped in 3.9.0.

Updated fields:

• Affected versions: < 3.9.0
• Patched versions: 3.9.0

And two additional references:

• Fix Command Injection in model serving mlflow/mlflow#19738
• mlflow/mlflow@202fac4