Description
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
Published: 2026-02-20
Score: 8.1 High
EPSS: 14.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the Tracking Server’s artifact handler where a user‑supplied file path is accepted without validation. This missing guard allows a remote attacker to traverse directories and execute arbitrary code under the service account’s privileges. The impact is full compromise of confidentiality, integrity, and availability of the affected system, as the attacker can run any code the service account can execute.

Affected Systems

All installations of MLflow Tracking Server are affected. No specific product versions are listed in the advisory; therefore any publicly available release of MLflow Tracking Server that has not applied the patch is vulnerable.

Risk and Exploitability

The description states that authentication is not required, but the exact attack vector is not detailed. Based on the description, it is inferred that the attacker can reach the vulnerable endpoint via the artifact upload feature over the network. If the server is reachable from untrusted networks, exploitation could be possible remotely. The vulnerability scores 8.1 on CVSS and has a 14% EPSS score, indicating high severity and a non‑negligible chance of exploitation. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 14, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MLflow Tracking Server to the latest patched release that fixes path validation errors.
  • Considering the lack of authentication requirement, it is inferred that restricting the Tracking Server’s network exposure to trusted hosts only and blocking unauthenticated access to the artifact upload endpoint can mitigate risk.
  • Introduce server‑side input filtering or a whitelist for artifact paths to ensure only allowed directories are accessed before file operations.

Generated by OpenCVE AI on June 14, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q2r8-vmq7-fpx2 MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
History

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow
Vendors & Products Mlflow
Mlflow mlflow

Fri, 20 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
Title MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Mlflow Mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-02-26T14:44:13.266Z

Reserved: 2026-02-06T01:08:33.219Z

Link: CVE-2026-2033

cve-icon Vulnrichment

Updated: 2026-02-23T19:46:42.089Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T23:16:03.093

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2033

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T15:15:07Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')