Cyber Resilience

CVE-2026-2033

High

Published: 20 February 2026

Published
20 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0180 75.7th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-2033 is a high-severity Path Traversal (CWE-22) vulnerability in Zerodayinitiative (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a directory traversal flaw in the artifact file path handling logic of the MLflow Tracking Server. It stems from insufficient validation of user-supplied paths before they are used in file operations, enabling remote code execution on affected installations. The issue is tracked as CVE-2026-2033 with an associated ZDI-CAN-26649 identifier and carries a CVSS 3.0 score of 8.1.

Remote unauthenticated attackers can exploit the weakness over the network to achieve arbitrary code execution in the context of the service account. The attack requires no user interaction and targets the lack of path sanitization within the artifact handler component.

A patch addressing the path validation issue is referenced in the MLflow project pull request 19260, while the Zero Day Initiative advisory ZDI-26-105 provides additional details on the vulnerability. The EPSS score has remained flat at a peak of 0.1843 with no material increase observed after disclosure. The affected component is part of the widely used MLflow machine learning lifecycle platform.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within…

more

the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mlflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directory traversal in unauthenticated public MLflow Tracking Server directly enables remote exploitation for RCE and server compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8756Shared CWE-22
CVE-2025-50857Shared CWE-22
CVE-2025-10488Shared CWE-22
CVE-2025-11201Shared CWE-22
CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22

Affected Assets

Zerodayinitiative
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the lack of proper validation of user-supplied artifact file paths, preventing directory traversal and subsequent RCE.

prevent

Ensures timely patching of the specific directory traversal flaw in MLflow Tracking Server as detailed in the provided mitigation PR.

prevent

Enforces logical access controls on file operations, complementing path validation to restrict unauthorized directory access.

References