CVE-2026-2033
Published: 20 February 2026
Summary
CVE-2026-2033 is a high-severity Path Traversal (CWE-22) vulnerability in Zerodayinitiative (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a directory traversal flaw in the artifact file path handling logic of the MLflow Tracking Server. It stems from insufficient validation of user-supplied paths before they are used in file operations, enabling remote code execution on affected installations. The issue is tracked as CVE-2026-2033 with an associated ZDI-CAN-26649 identifier and carries a CVSS 3.0 score of 8.1.
Remote unauthenticated attackers can exploit the weakness over the network to achieve arbitrary code execution in the context of the service account. The attack requires no user interaction and targets the lack of path sanitization within the artifact handler component.
A patch addressing the path validation issue is referenced in the MLflow project pull request 19260, while the Zero Day Initiative advisory ZDI-26-105 provides additional details on the vulnerability. The EPSS score has remained flat at a peak of 0.1843 with no material increase observed after disclosure. The affected component is part of the widely used MLflow machine learning lifecycle platform.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7508
Vulnerability details
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within…
more
the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mlflow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in unauthenticated public MLflow Tracking Server directly enables remote exploitation for RCE and server compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the lack of proper validation of user-supplied artifact file paths, preventing directory traversal and subsequent RCE.
Ensures timely patching of the specific directory traversal flaw in MLflow Tracking Server as detailed in the provided mitigation PR.
Enforces logical access controls on file operations, complementing path validation to restrict unauthorized directory access.