eastbaycyber

CVE-2026-45444: MLflow pyfunc predict() remote code execution

CVE explainers 2 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-05-20
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief

Overview of the Vulnerability

CVE-2026-45444 is a critical remote code execution (RCE) vulnerability in MLflow affecting versions 2.17.0 to before 2.18.0. This flaw arises from unsafe evaluation in the predict() method, specifically tied to SciPy’s to_python_code() during pyfunc model prediction. An attacker can exploit this vulnerability by providing crafted input, leading to arbitrary code execution.

This vulnerability is rated with a CVSS score of 9.8 (Critical), indicating that it poses a significant risk to any MLflow deployment. Organizations using MLflow for model serving should prioritize this issue.

AnalystImpact · assess the risk

Why This Matters

The implications of CVE-2026-45444 are severe. If an attacker can access the vulnerable prediction workflow, they can potentially compromise the entire MLflow-serving process. This is not merely a library issue; it has direct ramifications for application security and infrastructure risk.

Affected Versions

  • Vulnerable Range: MLflow versions >= 2.17.0 and < 2.18.0
  • Fixed Version: 2.18.0

If your organization is running MLflow in any capacity that involves prediction, it’s crucial to verify the installed version and ensure it is upgraded to 2.18.0 or later.

Conclusion

CVE-2026-45444 is a critical vulnerability that requires immediate attention. Organizations must upgrade to MLflow 2.18.0 to mitigate the risks associated with this flaw. Be proactive in monitoring and securing your MLflow deployments to prevent potential exploitation.

For further reading on related security topics, check out our articles on what is network forensics and what is DNS over TLS.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

ResponderRunbook · act now

Detection and Response

Identifying Vulnerable Deployments

To determine if your MLflow deployment is vulnerable, check the installed version using the following command:

python -c "import mlflow; print(mlflow.__version__)"

For environments using pip, you can verify the package metadata:

pip show mlflow

Immediate Actions

  1. Upgrade to MLflow 2.18.0: This is the primary mitigation step.
  2. Restrict Access: Limit access to prediction endpoints, especially from untrusted networks.
  3. Monitor Logs: Review logs for any suspicious activity related to prediction requests.

Mitigation Strategies

If upgrading is not immediately possible, consider these temporary measures:

  • Authentication: Implement authentication for prediction endpoints.
  • Network Segmentation: Restrict access to trusted internal networks only.
  • Disable Public Access: Temporarily disable public access to vulnerable endpoints.

Upgrade Instructions

To upgrade MLflow, use the following command:

pip install --upgrade "mlflow>=2.18.0"

For environments that pin exact versions, update your requirements file accordingly.

Last verified: 2026-05-20

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.