CVE-2026-2033 - Vulnerability Details

- MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability

Description

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.

Published: 2026-02-20

Score: 8.1 High

EPSS: 14.0% Moderate

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the Tracking Server’s artifact handler where a user‑supplied file path is accepted without validation. This missing guard allows a remote attacker to traverse directories and execute arbitrary code under the service account’s privileges. The impact is full compromise of confidentiality, integrity, and availability of the affected system, as the attacker can run any code the service account can execute.

Affected Systems

All installations of MLflow’s Tracking Server are affected. No specific product versions are listed in the advisory; therefore any publicly available release of MLflow Tracking Server that has not applied the patch is vulnerable.

Risk and Exploitability

The vulnerability scores 8.1 on CVSS and has a 14% EPSS score, indicating it is high severity and has a non‑negligible chance of exploitation. The attacker can reach the vulnerable endpoint without authentication, typically via the artifact upload feature exposed over the network. If the server is reachable from untrusted networks, exploitation is straightforward and can be executed remotely.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MLflow

unknown

Version	Status	Constraints
`3.1.1 and 5b9c01925c2e2a8cf0951f155a6a468ff99cfe0f`	affected	—

No data.

Vendor Product Confidence Versions

Mlflow

100%

Version	Status	Scheme	Platform
`3.1.1 and 5b9c01925c2e2a8cf0951f155a6a468ff99cfe0f`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade MLflow Tracking Server to the latest patched release that fixes path validation errors.
If an upgrade is not immediately possible, restrict the Tracking Server’s network exposure to trusted hosts only and block unauthenticated access to the artifact upload endpoint.
Introduce server‑side input filtering or a whitelist for artifact paths to ensure only allowed directories are accessed before file operations.

Generated by OpenCVE AI on April 17, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-q2r8-vmq7-fpx2	MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.14022.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/mlflow/mlflow/pull/19260
https://www.zerodayinitiative.com/advisories/ZDI-26-105/

History

Mon, 23 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mlflow Mlflow mlflow
Vendors & Products		Mlflow Mlflow mlflow

Fri, 20 Feb 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
Title		MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
Weaknesses		CWE-22
References		https://github.com/mlflow/mlflow/pull/19260 https://www.zerodayinitiative.com/advisories/ZDI-26-105/
Metrics		cvssV3_0 `{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Mlflow Mlflow

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-02-20T22:12:06.040Z

Updated: 2026-02-26T14:44:13.266Z

Reserved: 2026-02-06T01:08:33.219Z

Link: CVE-2026-2033

Vulnrichment

Updated: 2026-02-23T19:46:42.089Z

NVD

Status : Deferred

Published: 2026-02-20T23:16:03.093

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2033

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object