CVE-2023-4033: OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
highvulnerability
security
Summary
CVE-2023-4033 is an OS command injection vulnerability (a type of attack where an attacker can run arbitrary system commands) found in MLflow, an open-source machine learning platform, in versions before 2.6.0. The vulnerability allows attackers to execute unauthorized commands on affected systems.
Solution / Mitigation
Update MLflow to version 2.6.0 or later. A patch is available at the GitHub commit: https://github.com/mlflow/mlflow/commit/6dde93758d42455cb90ef324407919ed67668b9b
Vulnerability Details
CVSS Score
7.8(high)
EPSS (30-day exploit probability)
EPSS: 0.3%
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2023-4033
First tracked: February 15, 2026 at 08:46 PM
Classified by LLM (prompt v3) · confidence: 92%