CVE-2026-2033: Critical Unauthenticated RCE Discovered in MLflow Tracking Server — Remote Attackers Can Execute Code Over the Network

Aegiron 10 mins0

MLflow Tracking Server – Unauthenticated Remote Code Execution

CVE ID: CVE-2026-2033
Affected Product: MLflow Tracking Server
Vulnerability Type: Path Traversal leading to Remote Code Execution
CVSS v3.1 Score: 8.1 (High)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Scope: Unchanged
Exploitability: High (remotely reachable service)
Public Exploit Availability: No fully weaponized exploit kit publicly circulated at time of writing; technical details sufficient for custom exploit development are available in security discussions.
Impact: Arbitrary file write / Remote Code Execution under MLflow service account

Overview

A critical vulnerability was identified in the MLflow Tracking Server component affecting artifact handling functionality. The issue stems from improper validation and normalization of user-supplied file paths when processing artifact uploads or retrieval operations.

Under specific deployment configurations, this weakness allows a remote unauthenticated attacker to perform directory traversal. By escaping the intended artifact storage directory, arbitrary file write operations become possible. If the overwritten or created file resides in a location that is later executed or interpreted by the system, remote code execution may be achieved.

Because MLflow servers are frequently exposed internally within research environments — and sometimes publicly — the risk is significant when network restrictions are not enforced.

Technical Details

The vulnerability originates from insufficient sanitization of artifact path parameters accepted by the MLflow Tracking API. When artifact upload or logging endpoints accept a filename or path, the input is not strictly constrained to the configured artifact root directory.

If traversal sequences (such as encoded parent directory indicators) are processed without canonical path enforcement, filesystem operations may resolve outside the intended directory boundary.

Once arbitrary file write capability is obtained, several attack paths become viable:

  • Overwriting Python modules used by MLflow
  • Dropping malicious scripts in writable execution paths
  • Writing cron jobs (if permissions allow)
  • Modifying configuration files
  • Injecting payloads into startup scripts
  • Plereading sensitive files (if read traversal is possible)

Remote code execution depends on deployment architecture. The following factors increase exploit success likelihood:

  • MLflow running as a privileged user
  • Artifact storage located on local filesystem
  • Writable directories intersecting runtime paths
  • Lack of container isolation
  • No WAF or reverse proxy filtering

If MLflow runs inside a properly isolated container with read-only root filesystem and restricted mount points, exploitation impact is reduced significantly.

Attack Flow

  1. Target MLflow Tracking Server exposed over HTTP/HTTPS.
  2. Malicious request sent to artifact endpoint with crafted traversal payload.
  3. Server processes path without strict normalization.
  4. File written outside intended artifact directory.
  5. Payload executed through application load, scheduled job, or manual invocation.
  6. Attacker gains command execution under MLflow service context.

No authentication is required for exploitation if the MLflow instance allows unauthenticated artifact interactions.

Affected Deployment Scenarios

High Risk:

  • Publicly accessible MLflow servers
  • On-premise research servers without network segmentation
  • Cloud VMs with open security groups
  • MLflow running as root

Moderate Risk:

  • Internal-only deployments without strict access controls
  • Containerized instances without read-only enforcement

Lower Risk:

  • Private VPC deployments with strict firewalling
  • Reverse proxy enforcing authentication
  • Hardened container runtime with limited filesystem mounts

Proof of Concept (Educational)

The vulnerability can be validated in a controlled lab environment by observing server behavior when traversal sequences are submitted within artifact-related API calls.

Indicators of successful exploitation attempt:

  • Artifact stored outside configured directory
  • Server error messages referencing unexpected filesystem paths
  • Unexpected file creation timestamps

Indicators of Compromise (IOC)

  • Unexpected files created in:
    • /etc/
    • /var/spool/cron/
    • Application runtime directories
    • Python site-packages directories
  • MLflow process spawning shell processes
  • HTTP requests containing encoded traversal sequences
  • Repeated artifact endpoint access from unknown IP addresses
  • Large number of 400/500 errors followed by successful 200 response on artifact API

Detection

Log Sources

  • MLflow application logs
  • Reverse proxy logs (Nginx, Apache, ALB)
  • Linux auditd logs
  • EDR / XDR telemetry
  • File Integrity Monitoring logs
  • Cloud storage access logs (if artifact backend is S3/GCS)

Splunk Detection Queries

1. Path Traversal Attempts in Web Logs

index=web_logs 
(uri_path="*artifact*" OR uri_path="*/artifacts/*") 
AND (uri_query="*../*" OR uri_query="*..%2f*" OR uri_query="*%2e%2e%2f*")
| stats count by src_ip, uri_path, uri_query

2. Suspicious File Creation by MLflow User

index=linux_audit 
user="mlflow" 
action=created 
NOT file_path="/mlflow/artifacts/*"
| stats count by file_path, host

3. MLflow Spawning Shell

index=edr_logs 
parent_process="mlflow" 
(process_name="bash" OR process_name="sh" OR process_name="python")
| stats count by host, process_name

Elastic (KQL) Queries

Path Traversal Detection

url.path : "*artifact*" AND 
(url.query : "*../*" OR url.query : "*..%2f*" OR url.query : "*%2e%2e%2f*")

Suspicious Process Spawn

process.parent.name : "mlflow" AND 
process.name : ("bash" or "sh" or "python")

MITRE ATT&CK Mapping

  • T1190 – Exploit Public-Facing Application
  • T1059 – Command and Scripting Interpreter
  • T1105 – Ingress Tool Transfer
  • T1505 – Server Software Component
  • T1562 – Impair Defenses

Risk Impact

If exploited successfully:

  • Full compromise of ML experiment metadata
  • Model poisoning or tampering
  • Intellectual property theft
  • Credential harvesting from host system
  • Lateral movement inside internal research networks
  • Persistence through cron or service manipulation

Because MLflow often integrates with CI/CD pipelines and model deployment infrastructure, compromise may propagate to production systems.

Mitigation

Immediate Actions:

  • Restrict MLflow to internal networks only.
  • Implement authentication in front of MLflow.
  • Enforce least privilege service account.
  • Enable read-only root filesystem in containers.
  • Isolate artifact storage on dedicated mount.
  • Monitor artifact API usage volume anomalies.

Long-Term Remediation:

  • Upgrade to patched MLflow version as soon as vendor release is published.
  • Conduct full compromise assessment if exploitation suspected.
  • Rotate any credentials stored on affected host.
  • Rebuild host from clean image if unauthorized file modification detected.

Hardening Recommendations

  • Run MLflow behind reverse proxy with strict request filtering.
  • Enforce strict file path canonicalization validation.
  • Disable direct filesystem artifact storage when possible.
  • Prefer object storage with IAM-based access control.
  • Enable network segmentation for research workloads.
  • Deploy EDR with behavioral monitoring enabled.

Patch and Upgrade

Upgrade to the fixed MLflow version as specified in the official advisory:

https://github.com/mlflow/mlflow/security

It is strongly recommended that patching be prioritized before exposing any MLflow instance to untrusted networks.

Executive Summary

CVE-2026-2033 represents a high-risk remote code execution vulnerability in MLflow Tracking Server caused by insufficient validation of artifact paths. Because exploitation does not require authentication and may be performed over the network, exposed instances are at immediate risk.

Organizations operating MLflow should assume exploitation attempts will occur once awareness increases. Network restriction, monitoring, and prompt patching are critical to reducing risk.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.