MLflow and BentoML Flaws Enable Host Code Execution via Malicious AI Model Artifacts
High-severity vulnerabilities in MLflow and BentoML exposed AI model deployment workflows to arbitrary code execution on host systems through malicious model packages. In CVE-2025-15379, MLflow's model serving container initialization code improperly interpolated dependency data from a model artifact's python_env.yaml into a shell command inside _install_model_dependencies_to_env() when env_manager=LOCAL was used, creating a command injection path. The issue affects MLflow 3.8.0 and was fixed in 3.8.2; the flaw carries CWE-77 and a CVSS 9.8-equivalent vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
In CVE-2026-35044, BentoML's generate_containerfile() function rendered user-supplied dockerfile_template files with an unsandboxed Jinja2 environment and the jinja2.ext.do extension, allowing a malicious bento archive to execute arbitrary Python code on the host when a victim ran bentoml containerize. The vulnerability affects versions before 1.4.38 and was fixed in 1.4.38; it is classified as CWE-1336 with a CVSS 8.8 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Together, the disclosures highlight a growing risk in MLOps tooling where importing or deploying untrusted model artifacts can bypass expected isolation and compromise build or serving infrastructure.
Timeline
Apr 6, 2026
BentoML SSTI vulnerability disclosed and fixed in 1.4.38
CVE-2026-35044 was disclosed for BentoML, where an unsandboxed Jinja2 environment in generate_containerfile() could allow arbitrary Python code execution on the host when a malicious bento archive is imported and bentoml containerize is run. The issue affects versions prior to 1.4.38 and was fixed in BentoML 1.4.38.
Mar 30, 2026
MLflow command injection vulnerability reported and fixed in 3.8.2
A command injection flaw, CVE-2025-15379, was reported in MLflow's model serving container initialization code, where unsanitized dependency data from python_env.yaml could lead to arbitrary command execution when env_manager=LOCAL is used. The vulnerability affects MLflow 3.8.0 and is fixed in version 3.8.2.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Critical MLflow Vulnerabilities Enable Authentication Bypass and RCE
**MLflow** disclosed and patched multiple high-severity vulnerabilities affecting deployments of the MLflow platform, including an **authentication bypass due to default credentials** in `basic_auth.ini` tracked as **CVE-2026-2635** (ZDI-26-111). The issue allows **unauthenticated remote attackers** to bypass authentication and potentially **execute arbitrary code with administrator context**; ZDI scored it **CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)** and credited the finding to **Peter Girnus (@gothburz)** via Trend Micro’s **Zero Day Initiative (ZDI)**. A separate MLflow Tracking Server flaw, **CVE-2026-2033**, enables **directory traversal leading to remote code execution** via improper validation of user-supplied artifact file paths in the artifact handler. Exploitation requires no authentication and can result in code execution in the context of the MLflow service account. Both issues reference the same upstream remediation in MLflow (`https://github.com/mlflow/mlflow/pull/19260`) and were published through ZDI advisories (including **ZDI-26-111** for CVE-2026-2635 and **ZDI-26-105** for CVE-2026-2033), indicating coordinated fixes are available and should be prioritized for exposed MLflow instances.
1 months ago
High-Severity Flaws in Langflow and vLLM Expose Secrets and Enable RCE
Two high-severity vulnerabilities were disclosed in widely used AI application components, affecting **Langflow** and **vLLM**. In Langflow, `CVE-2026-33497` impacts versions before **1.7.1** and stems from improper filtering of `folder_name` and `file_name` in the `/profile_pictures/{folder_name}/{file_name}` endpoint. The path traversal flaw (`CWE-22`) allows unauthenticated attackers to read files across directories, including the application's `secret_key`, creating a direct risk of secret exposure and follow-on compromise. The issue is addressed in **Langflow 1.7.1** and tracked in GitHub advisory `GHSA-ph9w-r52h-28p7`. A separate flaw in vLLM, `CVE-2026-27893`, can lead to **remote code execution** by bypassing a user's attempt to disable remote code trust. In versions from **0.10.1** up to but not including **0.18.0**, two model implementation files hardcoded `trust_remote_code=True`, overriding the safer `--trust-remote-code=False` setting and allowing malicious model repositories to run code during model use. The vulnerability, classified as `CWE-693`, was patched in **vLLM 0.18.0**, underscoring supply-chain and configuration-bypass risks in AI infrastructure components.
1 months ago
Arbitrary File Write Flaws in OpenClaw and ONNX Enable Code Execution
Two high-severity vulnerabilities were disclosed in **OpenClaw** and **ONNX** that can let attackers write to unintended files and potentially gain code execution. In OpenClaw, `GHSA-7XR2-Q9VF-X4R5` describes a symlink traversal issue involving `IDENTITY.md` that allows an authenticated attacker to append user-controlled content to any file writable by the Node.js process over the network with low complexity and no additional user interaction. The flaw was rated **CVSS 8.8** and can affect confidentiality, integrity, and availability, with reported outcomes including privilege escalation, persistent shell access, data corruption, denial of service, and remote code execution. A separate **CVSS 8.8** issue in ONNX, tracked as `CVE-2025-51480` / `GHSA-Q56X-G2FJ-4RJ6`, affects `save_external_data` and allows path traversal that can overwrite or read arbitrary files when a crafted model is processed. The reported impact includes overwriting files such as `~/.ssh/authorized_keys`, `~/.bashrc`, or scheduled task definitions, which can escalate to remote code execution under the privileges of the user running the ONNX workflow. In containerized environments, the flaw can also lead to full container compromise and possible lateral movement within a cluster.
1 months ago