CVE-2026-2033
published 2026-02-20CVE-2026-2033: MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute…
PriorityP261high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
1.68%
74.1th percentile
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mlflow | mlflow | — | — |
| mlflow | mlflow | >= 0 < 3.8.0rc0 | 3.8.0rc0 |
| rhoai | odh-mlflow-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-th06-cpu-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-cuda130-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-rocm64-torch291-py312-rhel9 | — | — |
| rhoai | odh-training-cuda128-torch29-py312-rhel9 | — | — |
| rhoai | odh-workbench-codeserver-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-trustyai-cpu-py312-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability exists within the handling of artifact file paths in MLflow Tracking Server — monitor HTTP requests to artifact handler endpoints containing directory traversal sequences (e.g., '../') in path parameters ↗
- →No authentication is required to exploit this vulnerability — treat any unauthenticated request to MLflow artifact handler endpoints with suspicious path values as high-priority alert ↗
- →Exploitation results in code execution as the MLflow service account — monitor for unexpected child processes spawned by the MLflow Tracking Server process ↗
- ·Red Hat OpenShift AI (RHOAI) packages including rhoai/odh-mlflow-rhel9 are confirmed NOT affected by this CVE ↗
- ·No mitigation is currently available from Red Hat that meets their Product Security criteria for ease of use, deployment, applicability, or stability ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
ghsa·2026-02-21
CVE-2026-2033 [HIGH] CWE-22 MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account.
OSV
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
osv·2026-02-21
CVE-2026-2033 [HIGH] MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account.
Red Hat
mlflow: MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
vendor_redhat·2026-02-20·CVSS 8.1
CVE-2026-2033 [HIGH] CWE-22 mlflow: MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
mlflow: MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
A flaw was found in MLflow Tracking Server. A remote attacker can exploit a directory traversal vulnerability b
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-2033 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-2033 [CRITICAL] CVE-2026-2033 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2033 :
MLflow vulnerability analysis and mitigation
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
MLflow
Has Public Exploit No
Has C
Bugzilla
CVE-2026-2033 mlflow: MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
bugzilla·2026-02-20·CVSS 8.1
CVE-2026-2033 [HIGH] CVE-2026-2033 mlflow: MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
CVE-2026-2033 mlflow: MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
2026-02-20
Published