CVE-2026-2033
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on MLflow Tracking Server installations via directory traversal in artifact file path handling. Attackers can exploit improper path validation to write malicious files and achieve remote code execution as the service account. All MLflow Tracking Server deployments with vulnerable versions are affected.
💻 Affected Systems
- MLflow Tracking Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate data, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to data theft, service disruption, and potential lateral movement within the network.
If Mitigated
Limited impact if network segmentation, strict firewall rules, and least-privilege service accounts are implemented.
🎯 Exploit Status
Directory traversal vulnerabilities are well-understood and easy to exploit. The ZDI advisory suggests weaponization is likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.19.0
Vendor Advisory: https://github.com/mlflow/mlflow/pull/19260
Restart Required: Yes
Instructions:
1. Backup your MLflow data and configurations. 2. Update MLflow using pip: 'pip install --upgrade mlflow==2.19.0'. 3. Restart the MLflow Tracking Server service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to MLflow Tracking Server to trusted IPs only
# Configure firewall rules to allow only trusted sources
# Example: iptables -A INPUT -p tcp --dport 5000 -s trusted_ip -j ACCEPT
# iptables -A INPUT -p tcp --dport 5000 -j DROP
Reverse Proxy with Path Validation
allDeploy a reverse proxy that validates and sanitizes file paths before forwarding to MLflow
# Configure nginx or similar to filter malicious paths
# Example nginx location block with regex filtering
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to MLflow servers
- Run MLflow with minimal privileges using a dedicated service account with restricted filesystem access
🔍 How to Verify
Check if Vulnerable:
Check MLflow version: 'mlflow --version' or 'pip show mlflow'. If version is below 2.19.0, the system is vulnerable.Check Version:
mlflow --versionVerify Fix Applied:
Confirm version is 2.19.0 or higher: 'mlflow --version' should show 2.19.0+. Test artifact upload with traversal attempts should be rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in artifact upload logs
- Multiple failed upload attempts with directory traversal sequences
- Unexpected process execution from MLflow service account
Network Indicators:
- HTTP requests containing '../' or similar traversal patterns to artifact endpoints
- Unusual outbound connections from MLflow server
SIEM Query:
source="mlflow.logs" AND ("../" OR "..\\" OR "%2e%2e%2f")