CVE-2026-2033 — HIGH (CVSS 8.1) AI Security Vulnerability

CISO Take

CVE-2026-2033 is an unauthenticated RCE in MLflow Tracking Server — arguably the most dangerous class of vulnerability in MLOps infrastructure. Any MLflow instance reachable from the network (including internal networks) is fully compromised without credentials. Patch immediately to the version containing PR #19260, or isolate behind an authenticated reverse proxy until patching is possible.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	< 3.8.0rc0	`3.8.0rc0`

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

9.2%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Advanced

Recommended Action

1. PATCH: Apply the fix from MLflow PR #19260 immediately. Verify the installed version includes this patch before re-exposing the server. 2. ISOLATE: If immediate patching is not possible, place MLflow behind an authenticating reverse proxy (nginx + OAuth2 proxy, Cloudflare Access, or equivalent). Do not rely on network segmentation alone. 3. AUDIT: Review MLflow access logs for requests to artifact endpoints containing path traversal patterns (../, %2e%2e%2f, %252e%252e%252f, ....//). Check for unexpected file writes in the MLflow service account's filesystem context. 4. SCOPE CHECK: Inventory all MLflow Tracking Server instances across environments — dev, staging, and CI/CD pipelines are frequently overlooked. 5. DETECT: Add WAF/IDS rules matching path traversal patterns on artifact upload/download endpoints. Set up alerting for anomalous file system activity from the MLflow process. 6. ROTATE: If the instance was network-accessible, assume compromise. Rotate credentials stored in the MLflow environment, audit connected data stores and model registries for unauthorized access.

Classification

Data Extraction Model Poisoning Code Execution Framework RAG Model AML.T0010.001 - AI Software AML.T0018.002 - Embed Malware AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0044 - Full AI Model Access AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - Information security in supplier relationships A.8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN 1.7 - Processes for AI risk monitoring GOVERN 6.1 - Policies for third-party AI risks MANAGE 2.2 - Mechanisms for maintenance and updates of AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Technical Details

NVD Description

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.

Exploitation Scenario

An adversary targeting an organization's AI/ML pipeline scans for exposed MLflow Tracking Server instances on internal networks or via misconfigured cloud security groups. Finding an accessible instance, they craft a POST request to the artifact upload endpoint with a path containing directory traversal sequences (e.g., ../../etc/cron.d/backdoor), bypassing the lack of path validation in the artifact handler. They write a malicious script to a cron directory or overwrite a Python module in the MLflow virtual environment, achieving code execution as the service account on the next scheduled execution. From this foothold, the attacker accesses the full experiment database (exposing proprietary model architectures, hyperparameters, and dataset locations), exfiltrates trained model weights, and potentially injects poisoned artifacts into the model registry — artifacts that may propagate to production inference systems if the pipeline lacks artifact integrity verification.

Weaknesses (CWE)

CWE-22 Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published

February 20, 2026

Last Modified

March 17, 2026

First Seen

February 20, 2026