CVE-2026-2033 in MLflow
Summary
by MITRE • 02/21/2026
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/22/2026
The CVE-2026-2033 vulnerability represents a critical directory traversal flaw in MLflow Tracking Server artifact handling mechanisms that enables remote code execution without authentication requirements. This vulnerability resides in the server's artifact handler component where user-supplied file paths are processed without adequate validation, creating a pathway for malicious actors to manipulate file system operations. The flaw specifically manifests when the system processes artifact file paths, failing to properly sanitize or validate input before performing file operations that could lead to arbitrary code execution.
This vulnerability maps directly to CWE-22 Directory Traversal and CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component, both of which are classified under the OWASP Top Ten as critical security risks. The attack vector leverages the lack of input validation in the artifact path handling, allowing remote attackers to craft malicious file paths that bypass normal access controls. The vulnerability's impact is amplified by the fact that no authentication is required, making it particularly dangerous in environments where MLflow servers are exposed to untrusted networks.
The operational impact of this vulnerability extends beyond simple code execution, as it allows attackers to operate with the privileges of the service account running the MLflow server. This presents a significant risk for organizations where MLflow servers are configured to run with elevated permissions, potentially enabling full system compromise. The vulnerability affects installations where MLflow Tracking Server is deployed in production environments, particularly those that expose artifact handling endpoints to external clients without proper network segmentation or authentication controls.
From an ATT&CK perspective, this vulnerability aligns with T1059 Command and Scripting Interpreter and T1068 Exploitation for Privilege Escalation, as it allows initial access followed by privilege escalation through service account exploitation. The lack of authentication requirements places this vulnerability in the T1190 Exploit Public-Facing Application category, as it represents an unauthenticated attack against a publicly exposed service. Organizations should consider implementing network segmentation to isolate MLflow servers from untrusted networks and ensure proper input validation is enforced throughout all file operation pathways.
Mitigation strategies should include immediate patching of affected MLflow versions, implementation of network access controls to restrict access to artifact endpoints, and deployment of web application firewalls to filter malicious path traversal attempts. Additionally, organizations should enforce principle of least privilege for MLflow service accounts and implement comprehensive monitoring for unusual file system access patterns. The vulnerability underscores the importance of input validation in all file handling operations and highlights the critical need for security controls in machine learning infrastructure components that are often overlooked in traditional security assessments.