CVE-2026-2033: MLflow Path Traversal enables file

Q: Is CVE-2026-2033 actively exploited?

No confirmed active exploitation of CVE-2026-2033 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-2033?

1. PATCH: Apply the fix from MLflow PR #19260 immediately. Verify the installed version includes this patch before re-exposing the server. 2. ISOLATE: If immediate patching is not possible, place MLflow behind an authenticating reverse proxy (nginx + OAuth2 proxy, Cloudflare Access, or equivalent). Do not rely on network segmentation alone. 3. AUDIT: Review MLflow access logs for requests to artifact endpoints containing path traversal patterns (../, %2e%2e%2f, %252e%252e%252f, ....//). Check for unexpected file writes in the MLflow service account's filesystem context. 4. SCOPE CHECK: Inventory all MLflow Tracking Server instances across environments — dev, staging, and CI/CD pipelines are frequently overlooked. 5. DETECT: Add WAF/IDS rules matching path traversal patterns on artifact upload/download endpoints. Set up alerting for anomalous file system activity from the MLflow process. 6. ROTATE: If the instance was network-accessible, assume compromise. Rotate credentials stored in the MLflow environment, audit connected data stores and model registries for unauthorized access.

Q: What systems are affected by CVE-2026-2033?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps platforms, experiment tracking systems, model registries, CI/CD ML pipelines, data science workbenches.

Q: What is the CVSS score for CVE-2026-2033?

CVE-2026-2033 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 1.80%.

CISO Take

CVE-2026-2033 is an unauthenticated RCE in MLflow Tracking Server — arguably the most dangerous class of vulnerability in MLOps infrastructure. Any MLflow instance reachable from the network (including internal networks) is fully compromised without credentials. Patch immediately to the version containing PR #19260, or isolate behind an authenticated reverse proxy until patching is possible.

What is the risk?

Despite missing CVSS scores, this is effectively a 9.8 Critical. The attack vector is network-accessible, requires no authentication or user interaction, and achieves full code execution as the service account. MLflow is routinely deployed with broad internal network access and often runs with elevated permissions needed to read/write model artifacts and datasets. The combination of zero-auth + RCE + MLOps context creates maximum blast radius: stolen models, poisoned artifacts, lateral movement into training infrastructure, and potential data exfiltration.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	< 3.8.0rc0	`3.8.0rc0`
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

1.8%

chance of exploitation in 30 days

Higher than 76% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Apply the fix from MLflow PR #19260 immediately. Verify the installed version includes this patch before re-exposing the server.
ISOLATE

If immediate patching is not possible, place MLflow behind an authenticating reverse proxy (nginx + OAuth2 proxy, Cloudflare Access, or equivalent). Do not rely on network segmentation alone.
AUDIT

Review MLflow access logs for requests to artifact endpoints containing path traversal patterns (../, %2e%2e%2f, %252e%252e%252f, ....//). Check for unexpected file writes in the MLflow service account's filesystem context.
SCOPE CHECK

Inventory all MLflow Tracking Server instances across environments — dev, staging, and CI/CD pipelines are frequently overlooked.
DETECT

Add WAF/IDS rules matching path traversal patterns on artifact upload/download endpoints. Set up alerting for anomalous file system activity from the MLflow process.
ROTATE

If the instance was network-accessible, assume compromise. Rotate credentials stored in the MLflow environment, audit connected data stores and model registries for unauthorized access.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Model Poisoning Code Execution Framework RAG Model AML.T0010.001 - AI Software AML.T0018.002 - Embed Malware AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0044 - Full AI Model Access AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - Information security in supplier relationships A.8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN 1.7 - Processes for AI risk monitoring GOVERN 6.1 - Policies for third-party AI risks MANAGE 2.2 - Mechanisms for maintenance and updates of AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-2033?

CVE-2026-2033 is an unauthenticated RCE in MLflow Tracking Server — arguably the most dangerous class of vulnerability in MLOps infrastructure. Any MLflow instance reachable from the network (including internal networks) is fully compromised without credentials. Patch immediately to the version containing PR #19260, or isolate behind an authenticated reverse proxy until patching is possible.

Is CVE-2026-2033 actively exploited?

No confirmed active exploitation of CVE-2026-2033 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2033?

1. PATCH: Apply the fix from MLflow PR #19260 immediately. Verify the installed version includes this patch before re-exposing the server. 2. ISOLATE: If immediate patching is not possible, place MLflow behind an authenticating reverse proxy (nginx + OAuth2 proxy, Cloudflare Access, or equivalent). Do not rely on network segmentation alone. 3. AUDIT: Review MLflow access logs for requests to artifact endpoints containing path traversal patterns (../, %2e%2e%2f, %252e%252e%252f, ....//). Check for unexpected file writes in the MLflow service account's filesystem context. 4. SCOPE CHECK: Inventory all MLflow Tracking Server instances across environments — dev, staging, and CI/CD pipelines are frequently overlooked. 5. DETECT: Add WAF/IDS rules matching path traversal patterns on artifact upload/download endpoints. Set up alerting for anomalous file system activity from the MLflow process. 6. ROTATE: If the instance was network-accessible, assume compromise. Rotate credentials stored in the MLflow environment, audit connected data stores and model registries for unauthorized access.

What systems are affected by CVE-2026-2033?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps platforms, experiment tracking systems, model registries, CI/CD ML pipelines, data science workbenches.

What is the CVSS score for CVE-2026-2033?

CVE-2026-2033 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 1.80%.

What is the AI security impact?

Affected AI Architectures

training pipelinesMLOps platformsexperiment tracking systemsmodel registriesCI/CD ML pipelinesdata science workbenches

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0018.002 Embed Malware

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0044 Full AI Model Access

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0072 Reverse Shell

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.1.2, A.8.4

NIST AI RMF: GOVERN 1.7, GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM05, LLM05:2025

What are the technical details?

Original Advisory

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.

Exploitation Scenario

An adversary targeting an organization's AI/ML pipeline scans for exposed MLflow Tracking Server instances on internal networks or via misconfigured cloud security groups. Finding an accessible instance, they craft a POST request to the artifact upload endpoint with a path containing directory traversal sequences (e.g., ../../etc/cron.d/backdoor), bypassing the lack of path validation in the artifact handler. They write a malicious script to a cron directory or overwrite a Python module in the MLflow virtual environment, achieving code execution as the service account on the next scheduled execution. From this foothold, the attacker accesses the full experiment database (exposing proprietary model architectures, hyperparameters, and dataset locations), exfiltrates trained model weights, and potentially injects poisoned artifacts into the model registry — artifacts that may propagate to production inference systems if the pipeline lacks artifact integrity verification.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.