CVE-2026-45444: MLflow pyfunc predict() remote code execution
Overview of the Vulnerability
CVE-2026-45444 is a critical remote code execution (RCE) vulnerability in MLflow affecting versions 2.17.0 to before 2.18.0. This flaw arises from unsafe evaluation in the predict() method, specifically tied to SciPy’s to_python_code() during pyfunc model prediction. An attacker can exploit this vulnerability by providing crafted input, leading to arbitrary code execution.
This vulnerability is rated with a CVSS score of 9.8 (Critical), indicating that it poses a significant risk to any MLflow deployment. Organizations using MLflow for model serving should prioritize this issue.
Why This Matters
The implications of CVE-2026-45444 are severe. If an attacker can access the vulnerable prediction workflow, they can potentially compromise the entire MLflow-serving process. This is not merely a library issue; it has direct ramifications for application security and infrastructure risk.
Affected Versions
- Vulnerable Range: MLflow versions >= 2.17.0 and < 2.18.0
- Fixed Version: 2.18.0
If your organization is running MLflow in any capacity that involves prediction, it’s crucial to verify the installed version and ensure it is upgraded to 2.18.0 or later.
Conclusion
CVE-2026-45444 is a critical vulnerability that requires immediate attention. Organizations must upgrade to MLflow 2.18.0 to mitigate the risks associated with this flaw. Be proactive in monitoring and securing your MLflow deployments to prevent potential exploitation.
For further reading on related security topics, check out our articles on what is network forensics and what is DNS over TLS.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Detection and Response
Identifying Vulnerable Deployments
To determine if your MLflow deployment is vulnerable, check the installed version using the following command:
python -c "import mlflow; print(mlflow.__version__)"
For environments using pip, you can verify the package metadata:
pip show mlflow
Immediate Actions
- Upgrade to MLflow 2.18.0: This is the primary mitigation step.
- Restrict Access: Limit access to prediction endpoints, especially from untrusted networks.
- Monitor Logs: Review logs for any suspicious activity related to prediction requests.
Mitigation Strategies
If upgrading is not immediately possible, consider these temporary measures:
- Authentication: Implement authentication for prediction endpoints.
- Network Segmentation: Restrict access to trusted internal networks only.
- Disable Public Access: Temporarily disable public access to vulnerable endpoints.
Upgrade Instructions
To upgrade MLflow, use the following command:
pip install --upgrade "mlflow>=2.18.0"
For environments that pin exact versions, update your requirements file accordingly.