PT-2026-8004 · Databricks · Mlflow Tracking Server

Muhammad Fadilullah Dzaki

Published

2026-02-13

Updated

2026-03-19

CVE-2026-2033

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions MLflow Tracking Server (affected versions not specified)

Description A directory traversal issue exists in the MLflow Tracking Server's artifact handler, potentially leading to remote code execution. The issue involves improper handling of file paths, which could allow an attacker to access or modify files outside the intended directory.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-2033

GHSA-Q2R8-VMQ7-FPX2

ZDI-26-105

Affected Products

Mlflow Tracking Server

PT-2026-8004 · Databricks · Mlflow Tracking Server

CVE-2026-2033

Weakness Enumeration

Related Identifiers

Affected Products

References · 11