CVE-2026-2033 — HIGH (CVSS 8.1) AI Security Vulnerability

Q: Is CVE-2026-2033 actively exploited?

No confirmed active exploitation of CVE-2026-2033 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-2033?

1. PATCH: Apply the fix from MLflow PR #19260 immediately. Verify the installed version includes this patch before re-exposing the server. 2. ISOLATE: If immediate patching is not possible, place MLflow behind an authenticating reverse proxy (nginx + OAuth2 proxy, Cloudflare Access, or equivalent). Do not rely on network segmentation alone. 3. AUDIT: Review MLflow access logs for requests to artifact endpoints containing path traversal patterns (../, %2e%2e%2f, %252e%252e%252f, ....//). Check for unexpected file writes in the MLflow service account's filesystem context. 4. SCOPE CHECK: Inventory all MLflow Tracking Server instances across environments — dev, staging, and CI/CD pipelines are frequently overlooked. 5. DETECT: Add WAF/IDS rules matching path traversal patterns on artifact upload/download endpoints. Set up alerting for anomalous file system activity from the MLflow process. 6. ROTATE: If the instance was network-accessible, assume compromise. Rotate credentials stored in the MLflow environment, audit connected data stores and model registries for unauthorized access.

Q: What systems are affected by CVE-2026-2033?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps platforms, experiment tracking systems, model registries, CI/CD ML pipelines, data science workbenches.

Q: What is the CVSS score for CVE-2026-2033?

CVE-2026-2033 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 14.68%.

CISO Take

CVE-2026-2033 is an unauthenticated RCE in MLflow Tracking Server — arguably the most dangerous class of vulnerability in MLOps infrastructure. Any MLflow instance reachable from the network (including internal networks) is fully compromised without credentials. Patch immediately to the version containing PR #19260, or isolate behind an authenticated reverse proxy until patching is possible.

Risk Assessment

Despite missing CVSS scores, this is effectively a 9.8 Critical. The attack vector is network-accessible, requires no authentication or user interaction, and achieves full code execution as the service account. MLflow is routinely deployed with broad internal network access and often runs with elevated permissions needed to read/write model artifacts and datasets. The combination of zero-auth + RCE + MLOps context creates maximum blast radius: stolen models, poisoned artifacts, lateral movement into training infrastructure, and potential data exfiltration.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	< 3.8.0rc0	`3.8.0rc0`
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

14.7%

chance of exploitation in 30 days

Higher than 95% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Possible

Exploitation: LOW

Sophistication

Advanced

Exploitation Confidence

low

○ EPSS exploit prediction: 15%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Apply the fix from MLflow PR #19260 immediately. Verify the installed version includes this patch before re-exposing the server.
ISOLATE

If immediate patching is not possible, place MLflow behind an authenticating reverse proxy (nginx + OAuth2 proxy, Cloudflare Access, or equivalent). Do not rely on network segmentation alone.
AUDIT

Review MLflow access logs for requests to artifact endpoints containing path traversal patterns (../, %2e%2e%2f, %252e%252e%252f, ....//). Check for unexpected file writes in the MLflow service account's filesystem context.
SCOPE CHECK

Inventory all MLflow Tracking Server instances across environments — dev, staging, and CI/CD pipelines are frequently overlooked.
DETECT

Add WAF/IDS rules matching path traversal patterns on artifact upload/download endpoints. Set up alerting for anomalous file system activity from the MLflow process.
ROTATE

If the instance was network-accessible, assume compromise. Rotate credentials stored in the MLflow environment, audit connected data stores and model registries for unauthorized access.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Model Poisoning Code Execution Framework RAG Model AML.T0010.001 - AI Software AML.T0018.002 - Embed Malware AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0044 - Full AI Model Access AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - Information security in supplier relationships A.8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN 1.7 - Processes for AI risk monitoring GOVERN 6.1 - Policies for third-party AI risks MANAGE 2.2 - Mechanisms for maintenance and updates of AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-2033?

CVE-2026-2033 is an unauthenticated RCE in MLflow Tracking Server — arguably the most dangerous class of vulnerability in MLOps infrastructure. Any MLflow instance reachable from the network (including internal networks) is fully compromised without credentials. Patch immediately to the version containing PR #19260, or isolate behind an authenticated reverse proxy until patching is possible.

Is CVE-2026-2033 actively exploited?

No confirmed active exploitation of CVE-2026-2033 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2033?

1. PATCH: Apply the fix from MLflow PR #19260 immediately. Verify the installed version includes this patch before re-exposing the server. 2. ISOLATE: If immediate patching is not possible, place MLflow behind an authenticating reverse proxy (nginx + OAuth2 proxy, Cloudflare Access, or equivalent). Do not rely on network segmentation alone. 3. AUDIT: Review MLflow access logs for requests to artifact endpoints containing path traversal patterns (../, %2e%2e%2f, %252e%252e%252f, ....//). Check for unexpected file writes in the MLflow service account's filesystem context. 4. SCOPE CHECK: Inventory all MLflow Tracking Server instances across environments — dev, staging, and CI/CD pipelines are frequently overlooked. 5. DETECT: Add WAF/IDS rules matching path traversal patterns on artifact upload/download endpoints. Set up alerting for anomalous file system activity from the MLflow process. 6. ROTATE: If the instance was network-accessible, assume compromise. Rotate credentials stored in the MLflow environment, audit connected data stores and model registries for unauthorized access.

What systems are affected by CVE-2026-2033?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps platforms, experiment tracking systems, model registries, CI/CD ML pipelines, data science workbenches.

What is the CVSS score for CVE-2026-2033?

CVE-2026-2033 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 14.68%.

Technical Details

NVD Description

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.

Exploitation Scenario

An adversary targeting an organization's AI/ML pipeline scans for exposed MLflow Tracking Server instances on internal networks or via misconfigured cloud security groups. Finding an accessible instance, they craft a POST request to the artifact upload endpoint with a path containing directory traversal sequences (e.g., ../../etc/cron.d/backdoor), bypassing the lack of path validation in the artifact handler. They write a malicious script to a cron directory or overwrite a Python module in the MLflow virtual environment, achieving code execution as the service account on the next scheduled execution. From this foothold, the attacker accesses the full experiment database (exposing proprietary model architectures, hyperparameters, and dataset locations), exfiltrates trained model weights, and potentially injects poisoned artifacts into the model registry — artifacts that may propagate to production inference systems if the pipeline lacks artifact integrity verification.