Attackers can execute arbitrary shell commands on an MLflow model server by providing a crafted model URI, potentially leading to full system compromise and privilege escalation.

A command injection vulnerability exists in the model serving component. When enable_mlserver=True is set, the model_uri parameter is passed unsanitized to a shell command. An attacker can use shell metacharacters like $() or backticks to execute arbitrary code with the privileges of the MLflow service.

A successful exploit allows an attacker to take control of the machine serving the machine learning models. This can lead to the theft of proprietary models, training data, or sensitive environment variables. Furthermore, if the service is running with high privileges, the attacker can achieve full host escalation. The CVSS score of 9.6 reflects this critical impact on ML infrastructure.

Immediate Action: Update MLflow to the latest version containing the fix. If an update is not immediately possible, disable enable_mlserver or strictly validate all model_uri inputs.

Proactive Monitoring: Monitor system logs for suspicious bash processes spawned by the MLflow service and audit all model deployment requests for unusual characters.

Compensating Controls: Run MLflow model serving in a low-privileged, isolated container environment to limit the impact of a successful command injection.

Public Exploit Available: No

Machine learning infrastructure often has access to sensitive data and significant compute resources. Organizations must ensure that MLflow is patched and that model deployment is restricted to authorized users. Prioritize the update to the latest version to close this critical command injection vector.