CVE-2026-0596 is a severe command injection vulnerability affecting the mlflow/mlflow open-source machine learning lifecycle platform, specifically when serving models with the enable_mlserver=True configuration. The root cause is improper neutralization of special shell characters in the model_uri parameter, which is directly embedded into a shell command executed via 'bash -c'. This allows an attacker to craft a malicious model_uri containing shell metacharacters such as $() or backticks, enabling command substitution and execution of arbitrary commands on the host system. Because the shell command is executed without sanitization or escaping, the attacker can run arbitrary code with the privileges of the mlflow service. If the mlflow service runs with elevated privileges and serves models from directories writable by less privileged users, this can lead to privilege escalation. The vulnerability affects the latest versions of mlflow/mlflow, with no specific versions enumerated. The CVSS v3.0 base score is 9.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating a critical severity with network attack vector (adjacent network), low attack complexity, no privileges required, no user interaction, and scope change. While no exploits are currently known in the wild, the vulnerability's nature and high severity make it a significant risk for organizations using mlflow for model serving in production environments.

The impact of CVE-2026-0596 is substantial for organizations deploying mlflow for machine learning model serving. Successful exploitation allows attackers to execute arbitrary commands on the host system, potentially leading to full system compromise. This threatens confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by enabling disruptive actions such as service termination or resource exhaustion. The possibility of privilege escalation further amplifies the risk, especially in environments where mlflow runs with elevated privileges or serves models from directories writable by lower-privileged users. Given mlflow's widespread use in data science and AI workflows, this vulnerability could disrupt critical business operations, lead to data breaches, and facilitate lateral movement within networks. The critical CVSS score reflects the ease of exploitation and the broad impact on system security.

To mitigate CVE-2026-0596, organizations should immediately update mlflow to a patched version once available. In the absence of an official patch, apply temporary mitigations such as disabling the enable_mlserver=True option if feasible. Restrict write permissions on directories used for serving models to prevent untrusted users from placing malicious model_uris. Implement input validation and sanitization on the model_uri parameter to disallow shell metacharacters or use safer APIs that avoid shell invocation entirely. Run the mlflow service with the least privileges necessary to limit the impact of potential exploitation. Employ containerization or sandboxing techniques to isolate the mlflow service environment. Monitor logs and network activity for suspicious behavior indicative of command injection attempts. Finally, conduct a thorough security review of deployment configurations and educate development teams about secure coding practices related to shell command execution.