cbcvebase.
CVE-2026-2033
published 2026-02-20

CVE-2026-2033: MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute…

PriorityP261high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
1.68%
74.1th percentile
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.

Affected

21 ranges
VendorProductVersion rangeFixed in
mlflowmlflow
mlflowmlflow>= 0 < 3.8.0rc03.8.0rc0
rhoaiodh-mlflow-rhel9
rhoaiodh-pipeline-runtime-datascience-cpu-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-rocm-py312-rhel9
rhoaiodh-pipeline-runtime-tensorflow-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-tensorflow-rocm-py312-rhel9
rhoaiodh-th06-cpu-torch210-py312-rhel9
rhoaiodh-th06-cuda130-torch210-py312-rhel9
rhoaiodh-th06-rocm64-torch291-py312-rhel9
rhoaiodh-training-cuda128-torch29-py312-rhel9
rhoaiodh-workbench-codeserver-datascience-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-datascience-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-rocm-py312-rhel9
rhoaiodh-workbench-jupyter-tensorflow-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-tensorflow-rocm-py312-rhel9
rhoaiodh-workbench-jupyter-trustyai-cpu-py312-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists within the handling of artifact file paths in MLflow Tracking Server — monitor HTTP requests to artifact handler endpoints containing directory traversal sequences (e.g., '../') in path parameters
  • No authentication is required to exploit this vulnerability — treat any unauthenticated request to MLflow artifact handler endpoints with suspicious path values as high-priority alert
  • Exploitation results in code execution as the MLflow service account — monitor for unexpected child processes spawned by the MLflow Tracking Server process
  • ·Red Hat OpenShift AI (RHOAI) packages including rhoai/odh-mlflow-rhel9 are confirmed NOT affected by this CVE
  • ·No mitigation is currently available from Red Hat that meets their Product Security criteria for ease of use, deployment, applicability, or stability

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.