MLflow Auth Bypass to RCE via Artifact Path Traversal (CVE-2026-2635 + CVE-2026-2033)

1. Executive Summary

Two chained vulnerabilities in MLflow -- an open-source MLOps platform maintained by Databricks -- enable unauthenticated remote code execution against MLflow Tracking Server deployments. CVE-2026-2635 (CVSS 9.8 Critical, CVSS v3.0) allows authentication bypass via hard-coded default credentials in the basic_auth.ini configuration file (NVD entry, CNA-submitted by ZDI). CVE-2026-2033 (CVSS 8.1 High, CVSS v3.0) permits directory traversal through the artifact handler, leading to remote code execution in the service account context (NVD entry, CNA-submitted by ZDI). When chained, an attacker with no prior credentials can authenticate as an administrator and then exploit the artifact path traversal to achieve code execution on the underlying host (RAXE assessment). Organisations running MLflow with basic authentication enabled should immediately change default credentials and upgrade to version 3.8.0 or later (PyPI, GitHub PR #19260).

2. Risk Rating

CVE-2026-2635 Base Score: 9.8 Critical -- Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD entry)

CVE-2026-2033 Base Score: 8.1 High -- Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD entry)

CVSS Version Note: Both CVEs use CVSS version 3.0, not 3.1. Both NVD entries have status "Awaiting Analysis" -- NVD has not completed its own analysis, and these scores are CNA-submitted by the Zero Day Initiative (NVD, ZDI-26-111, ZDI-26-105). No actionable GHSA advisory with version or patch data exists for either CVE (GHSA-gq3w-7jj3-x7gr is a stub entry for CVE-2026-2635 with no package or version information).

CVSS Divergence Note

This is a multi-CVE finding. The metadata-level CVSS of 9.8 reflects the highest-severity component (CVE-2026-2635, authentication bypass). The second CVE (CVE-2026-2033, path traversal) carries a score of 8.1 in its NVD entry due to its high attack complexity (AC:H) (NVD entry). Both scores are CNA-submitted by ZDI via CVSS v3.0; NVD has not completed its own analysis of either CVE (NVD status: Awaiting Analysis). Severity language throughout this report references each CVE's individual CNA-submitted score where appropriate; the finding-level severity is "critical" based on the 9.8 composite.

EPSS Scores (as of 2026-03-10):

The EPSS score for CVE-2026-2033 is notably elevated at the 94th percentile, indicating that FIRST.org's model assesses significant exploitation probability (FIRST.org EPSS). This is consistent with MLflow's history of path traversal vulnerabilities including CVE-2024-3573 and CVE-2024-1594 (RAXE assessment).

3. Affected Products

Version Range Note: NVD has not completed analysis of either CVE -- both have status "Awaiting Analysis" as of 23 February 2026 (NVD). No official affected version range has been published by NVD. The fix was merged via PR #19260 on 10 December 2025 (GitHub PR #19260). The PR carried a v3.7.1 milestone label, but version 3.7.1 was never released on PyPI (PyPI). The first stable release containing the fix is 3.8.0, released 21 December 2025 (PyPI). The latest available version is 3.10.1, released 5 March 2026 (PyPI). All versions prior to 3.8.0 that ship with the default basic_auth.ini and the vulnerable artifact handler code are presumed affected (RAXE assessment, pending NVD analysis).

Am I Affected?

• Check if your environment runs an MLflow Tracking Server with basic authentication enabled (via basic_auth.ini)
• Check your MLflow version: pip show mlflow | grep Version or mlflow --version
• If your version is below 3.8.0, you are presumed affected (RAXE assessment)
• Check whether your artifact storage uses the file store backend (FileStore) -- CVE-2026-2033 specifically targets this backend (GitHub PR #19260)
• Check whether the default credentials in basic_auth.ini have been changed from their shipped values

4. Abstract

CVE-2026-2635 is a critical authentication bypass vulnerability in MLflow's optional basic authentication module. The module uses a configuration file (basic_auth.ini) that ships with hard-coded default credentials, classified as CWE-1393 ("Use of Default Credentials") (NVD entry, CNA-assigned by ZDI). An unauthenticated remote attacker can use these credentials to gain administrative access to the MLflow Tracking Server (ZDI-26-111).

CVE-2026-2033 is a directory traversal vulnerability (CVSS 8.1) in the MLflow Tracking Server's artifact handler. The flaw arises from "the lack of proper validation of a user-supplied path prior to using it in file operations" (ZDI-26-105), classified as CWE-22 ("Improper Limitation of a Pathname to a Restricted Directory") (ZDI-26-105). Exploitation enables remote code execution in the service account context (ZDI-26-105).

Both vulnerabilities were reported to MLflow through the Zero Day Initiative by independent researchers and were addressed in pull request #19260, merged 10 December 2025 (GitHub PR #19260). The combined exploitation chain -- authentication bypass followed by artifact path traversal to achieve RCE -- has not been publicly demonstrated end-to-end; this chaining analysis is a RAXE assessment (RAXE assessment).

5. Key Findings

1. Hard-coded default credentials enable authentication bypass. MLflow's basic authentication module ships with default credentials in basic_auth.ini that allow unauthenticated remote administrative access (CVE-2026-2635, CVSS 9.8 Critical) (NVD, ZDI-26-111).

2. Artifact handler path traversal enables remote code execution. The Tracking Server's artifact handler does not adequately validate user-supplied paths, allowing directory traversal that leads to code execution in the service account context (CVE-2026-2033, CVSS 8.1 High) (NVD, ZDI-26-105).

3. Chaining may reduce the practical authentication barrier. CVE-2026-2033 alone carries AC:H (high attack complexity). An attacker who first authenticates via default credentials (CVE-2026-2635, AC:L) would have authenticated access to artifact handler endpoints, which may improve the reliability of triggering the traversal (RAXE assessment -- inferred from complementary attack surfaces; no public source demonstrates this chain end-to-end).

4. Both CVEs fixed in the same pull request. PR #19260, authored by Ben Wilson, was merged 10 December 2025 (GitHub PR #19260). Both fixes appear in a single PR, which may indicate the vendor recognised the relationship between the flaws, though neither advisory explicitly states this (RAXE assessment -- inferred from PR co-location). The fix is included in MLflow 3.8.0 and later (PyPI).

5. High EPSS score indicates elevated exploitation probability. CVE-2026-2033 has a 15.58% EPSS score at the 94.56th percentile, consistent with MLflow's history of path traversal CVEs (FIRST.org EPSS).

6. NVD analysis pending. Neither CVE has a confirmed affected version range from NVD; both have status "Awaiting Analysis" as of 23 February 2026 (NVD).

6. Attack Flow

+-------------------------------------------------------------------+
|        CVE-2026-2635 + CVE-2026-2033 Combined Attack Flow          |
|              (ZDI-26-111, ZDI-26-105, RAXE assessment)             |
+-------------------------------------------------------------------+

  +---------------------+
  | 1. Attacker submits |
  |    default creds    |------ CWE-1393: hard-coded defaults
  |    from basic_      |       in basic_auth.ini
  |    auth.ini          |
  +----------+----------+
             |
             v
  +---------------------+
  | 2. Authentication   |
  |    bypass           |------ CVE-2026-2635 (CVSS 9.8)
  |    (admin access)   |       AC:L, PR:N, UI:N
  +----------+----------+
             |
             v
  +---------------------+
  | 3. Attacker sends   |
  |    crafted artifact |------ CWE-22: insufficient path
  |    request with     |       validation in artifact handler
  |    traversal path   |
  +----------+----------+
             |
             v
  +---------------------+
  | 4. Directory        |
  |    traversal via    |------ CVE-2026-2033 (CVSS 8.1)
  |    artifact handler |       AC:H, PR:N, UI:N
  |    (file write)     |
  +----------+----------+
             |
             v
  +---------------------+
  | 5. Remote code      |
  |    execution in     |------ Service account context
  |    MLflow service   |       (ZDI-26-105)
  |    account          |
  +---------------------+

Chain analysis: Steps 1-2 from CVE-2026-2635 (ZDI-26-111).
Steps 3-5 from CVE-2026-2033 (ZDI-26-105).
Combined chain is RAXE assessment -- not publicly demonstrated.

7. Technical Details

7.1 CVE-2026-2635: Authentication Bypass via Default Credentials

MLflow's optional authentication module uses a configuration file (basic_auth.ini) that ships with hard-coded default credentials (NVD). The vulnerability is classified as CWE-1393 ("Use of Default Credentials") (NVD). An unauthenticated remote attacker can use these credentials to bypass authentication and gain administrative access to the MLflow Tracking Server (ZDI-26-111).

The ZDI advisory states the flaw enables an attacker to "bypass authentication and execute arbitrary code in the context of the administrator" (ZDI-26-111). The researcher credited with discovery is Peter Girnus (@gothburz) of the Trend Zero Day Initiative (ZDI-26-111).

CVSS Analysis: CVSS v3.0 base score 9.8 Critical with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD entry -- CNA-submitted, NVD status: Awaiting Analysis). The PR:N and AC:L values indicate that exploitation requires no prior authentication and has low attack complexity.

ZDI Timeline: Reported 14 October 2025. Public advisory ZDI-26-111 (ZDI-CAN-28256) released 19 February 2026 (ZDI-26-111).

7.2 CVE-2026-2033: Artifact Handler Directory Traversal to RCE

A separate vulnerability in the MLflow Tracking Server's artifact handler permits directory traversal due to "the lack of proper validation of a user-supplied path prior to using it in file operations" (ZDI-26-105). The vulnerability is classified as CWE-22 ("Improper Limitation of a Pathname to a Restricted Directory") (ZDI-26-105).

The ZDI advisory describes the flaw as enabling directory traversal that leads to remote code execution in the service account context (ZDI-26-105). Analysis of the fix PR indicates that the specific traversal mechanism involves meta.yaml files in artifact directories (GitHub PR #19260 -- code-derived analysis, not explicitly stated in the ZDI advisory). The researcher credited with discovery is Muhammad Fadilullah Dzaki (ZDI-26-105).

CVSS Analysis: CVSS v3.0 base score 8.1 High with vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD entry -- CNA-submitted, NVD status: Awaiting Analysis). The high attack complexity (AC:H) indicates that additional conditions beyond attacker control must be met for successful exploitation (NVD entry).

ZDI Timeline: Reported 31 July 2025. Public advisory ZDI-26-105 (ZDI-CAN-26649) released 13 February 2026 (ZDI-26-105).

7.3 Chain Analysis

The two vulnerabilities target distinct layers of the MLflow Tracking Server (RAXE assessment):

When combined, CVE-2026-2635 removes the authentication barrier, and CVE-2026-2033 provides the code execution primitive (RAXE assessment). The path traversal alone (CVE-2026-2033) has AC:H, but an attacker who first authenticates via default credentials (CVE-2026-2635, AC:L) would have authenticated access to artifact handler endpoints, which may improve the reliability of triggering the traversal (RAXE assessment). Both vulnerabilities were addressed in the same pull request (#19260); neither advisory explicitly states the vendor recognised the relationship, but the co-location suggests it (RAXE assessment).

Important caveat: The combined exploitation chain has not been publicly demonstrated end-to-end. Each CVE is described independently in its respective ZDI advisory. The chain analysis is a RAXE assessment based on the complementary attack surfaces (RAXE assessment).

7.4 Fix Details

PR #19260, authored by Ben Wilson (BenWilson2), was merged to the MLflow master branch on 10 December 2025 (GitHub PR #19260). The fix implements run directory validation by adding an _is_valid_run_directory() function that checks for required subdirectories (metrics/, params/, artifacts/) and integrates validation in _find_run_root() to reject invalid run directories before processing (GitHub PR #19260).

The PR carried a v3.7.1 milestone label, but version 3.7.1 was never released on PyPI (PyPI). The first stable release containing the fix is MLflow 3.8.0, released 21 December 2025 (PyPI). The latest available version is 3.10.1, released 5 March 2026 (PyPI).

8. Confidence & Validation

Assessment Confidence: High

Source Quality:

9. Detection Signatures

Detection Limitations and Prerequisites

The following limitations must be understood before deploying these rules (RAXE assessment):

1. No confirmed attack telemetry. No public exploit exists for either CVE. These rules are written from first principles derived from CWE-1393 and CWE-22 patterns and the ZDI advisory descriptions (RAXE assessment).

2. Default credential values not specified here. The exact default credentials shipped in basic_auth.ini are referenced in ZDI-26-111 but are not reproduced in this document. Rule 1 uses a placeholder REDACTED_DEFAULT_VALUE (ZDI-26-111).

3. MLflow HTTP access logs required. Rules 1 and 2 depend on HTTP access logs from the MLflow Tracking Server process or its reverse proxy. If MLflow is deployed behind a load balancer, log sources must be adjusted accordingly (RAXE assessment).

4. File system auditing required for Rule 3. Detection of file writes outside the artifact directory requires OS-level file system audit logging (e.g., Linux auditd, Windows Sysmon) (RAXE assessment).

5. Version range unknown. NVD has not confirmed the affected version range (NVD -- Awaiting Analysis). Scope these rules to all MLflow Tracking Server deployments running versions prior to 3.8.0 until NVD analysis is complete (RAXE assessment).

Sigma Rule 1 -- MLflow Default Credentials Login Attempt (Delivery Telemetry)

title: MLflow Default Credentials Login Attempt (CVE-2026-2635)
id: a1f3c820-7e2d-4b91-a8d5-9f0e3b2c1a47
status: experimental
description: >
  Detects HTTP authentication attempts against the MLflow Tracking Server
  using the default credentials shipped in basic_auth.ini (CVE-2026-2635,
  CWE-1393). Delivery telemetry -- may match misconfigured deployments.
  NOTE: Replace REDACTED_DEFAULT_VALUE with the Base64-encoded credential
  pair from ZDI-26-111 before activation.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-2635
  - https://www.zerodayinitiative.com/advisories/ZDI-26-111/
author: RAXE Labs (M. Hirani)
date: 2026-03-11
tags:
  - attack.initial_access
  - attack.t1078
  - attack.t1190
  - cve.2026-2635
  - cwe.1393
logsource:
  category: webserver
  product: mlflow
detection:
  selection:
    cs-method:
      - GET
      - POST
      - PUT
      - DELETE
    cs-uri-stem|contains: '/api/'
    cs-Authorization|contains: 'Basic REDACTED_DEFAULT_VALUE'
  condition: selection
fields:
  - c-ip
  - cs-method
  - cs-uri-stem
  - sc-status
  - cs-Authorization
falsepositives:
  - Misconfigured deployments where default credentials have not been rotated
  - Security team credential audits against MLflow
level: medium

Sigma Rule 2 -- MLflow Artifact Handler Path Traversal Sequences (Post-Exploitation Hunting)

title: MLflow Artifact Handler Path Traversal Attempt (CVE-2026-2033)
id: b2e4d931-8f3e-5c02-b9e6-0a1f4c3d2b58
status: experimental
description: >
  Detects path traversal sequences in HTTP requests directed at the MLflow
  Tracking Server (CVE-2026-2033, CWE-22). Post-exploitation hunting rule --
  correlate with Rule 1 for higher-confidence triage. URL-encoded variants
  are included as standard CWE-22 evasion patterns (RAXE assessment).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-2033
  - https://www.zerodayinitiative.com/advisories/ZDI-26-105/
  - https://github.com/mlflow/mlflow/pull/19260
author: RAXE Labs (M. Hirani)
date: 2026-03-11
tags:
  - attack.execution
  - attack.t1190
  - attack.t1083
  - cve.2026-2033
  - cwe.22
logsource:
  category: webserver
  product: mlflow
detection:
  selection_traversal:
    cs-uri-stem|contains|any:
      - '../'
      - '..\\'
      - '%2e%2e%2f'
      - '%2e%2e/'
      - '..%2f'
      - '%2e%2e%5c'
  condition: selection_traversal
fields:
  - c-ip
  - cs-method
  - cs-uri-stem
  - cs-uri-query
  - sc-status
  - cs-Authorization
falsepositives:
  - Legitimate artifact paths containing double-dot sequences
  - Security scanner activity
  - Penetration testing
level: high

Sigma Rule 3 -- MLflow Process Writing Files Outside Artifact Directory (Post-Exploitation Hunting)

title: MLflow Process File Write Outside Artifact Directory (CVE-2026-2033)
id: c3f5e042-9a4f-6d13-caf7-1b2a5d4e3c69
status: experimental
description: >
  Detects file write events by the MLflow process to paths outside the
  configured artifact storage root (CVE-2026-2033, CWE-22). Post-exploitation
  hunting rule. Requires OS-level file audit logging and deployment-specific
  configuration of the MLFLOW_ARTIFACT_ROOT path (RAXE assessment).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-2033
  - https://www.zerodayinitiative.com/advisories/ZDI-26-105/
  - https://github.com/mlflow/mlflow/pull/19260
author: RAXE Labs (M. Hirani)
date: 2026-03-11
tags:
  - attack.execution
  - attack.t1105
  - attack.t1083
  - cve.2026-2033
  - cwe.22
logsource:
  category: file_event
  product: linux
detection:
  selection_process:
    Image|endswith:
      - '/mlflow'
      - '/gunicorn'
      - '/uvicorn'
      - '/python3'
      - '/python'
  filter_allowed_path:
    TargetFilename|startswith: 'MLFLOW_ARTIFACT_ROOT'
  condition: selection_process and not filter_allowed_path
fields:
  - Image
  - CommandLine
  - TargetFilename
  - User
  - ProcessId
falsepositives:
  - MLflow writing legitimate configuration or log files outside the artifact root
  - MLflow upgrade or migration operations
  - Shared Python processes serving other applications alongside MLflow
level: high

Detection Summary

Severity rationale: Rule 1 is classified medium because a single default-credential attempt may represent a misconfiguration audit or security scan and requires enrichment before escalation. Rules 2 and 3 are classified high because path traversal sequences and unexpected file writes are rarely benign in a production MLflow context. Detection severity reflects operational signal quality, not the CVSS severity of the underlying vulnerability (RAXE assessment).

10. Detection & Mitigation

Immediate Remediation (Within 48 Hours)

• Upgrade MLflow to version 3.8.0 or later -- the latest version is 3.10.1, released 5 March 2026 (PyPI, GitHub PR #19260)
• Change all default credentials in basic_auth.ini on every MLflow Tracking Server deployment (ZDI-26-111)
• Audit network access controls to ensure MLflow Tracking Server is not exposed to untrusted networks (RAXE assessment)

Short-Term Mitigations (Within 1 Week)

• Review artifact storage configurations: deployments using file-based artifact storage (FileStore backend) are specifically affected by CVE-2026-2033 (GitHub PR #19260)
• Inspect artifact directories for unexpected meta.yaml files which may indicate prior exploitation attempts (GitHub PR #19260)
• Integrate with enterprise identity providers rather than relying solely on basic_auth.ini for authentication (RAXE assessment)

Strategic Recommendations

• Monitor MLflow for additional path traversal disclosures -- the project has a documented history of CWE-22 vulnerabilities including CVE-2024-3573 and CVE-2024-1594 (RAXE assessment)
• Establish vulnerability monitoring for MLOps platform dependencies (MLflow, Kubeflow, DVC, and similar) (RAXE assessment)
• Network segmentation: assess whether MLflow Tracking Server instances should be segmented from production networks, particularly where they handle sensitive model artefacts or training data (RAXE assessment)

11. Indicators of Compromise

All indicators below are behavioural -- derived from advisory-described attack mechanisms (ZDI-26-111, ZDI-26-105). No file hashes or network IOCs are available as no public exploit has been observed.

12. Strategic Context

This finding highlights two systemic risks in MLOps infrastructure security (RAXE assessment):

Default credential risk in ML platforms. MLflow's decision to ship a basic authentication module with hard-coded default credentials is a well-understood anti-pattern (CWE-1393). The same weakness class has affected numerous infrastructure products, but its presence in an MLOps platform deployed across enterprise AI/ML environments extends the attack surface into environments that may lack the security maturity of traditional web application deployments (RAXE assessment).

Recurring path traversal in MLflow. CVE-2026-2033 is not the first path traversal vulnerability in MLflow. Prior CVEs including CVE-2024-3573 and CVE-2024-1594 targeted similar file handling code paths. The recurrence suggests a systemic pattern in MLflow's file operations layer that warrants ongoing monitoring by organisations relying on MLflow for experiment tracking and model management (RAXE assessment).

ZDI coordination and disclosure timeline. The two vulnerabilities were reported independently -- CVE-2026-2033 on 31 July 2025 and CVE-2026-2635 on 14 October 2025 -- yet were addressed in the same fix PR (#19260), merged 10 December 2025 (ZDI-26-105, ZDI-26-111, GitHub PR #19260). The public advisories were released in February 2026, approximately two months after the fix was available. Organisations with timely patch management would have had the fix applied before the advisories were published (RAXE assessment).

MITRE ATLAS mapping. This finding maps to MITRE ATLAS technique AML.T0053 (AI Agent Tool Invocation). MLflow Tracking Server functions as a core AI infrastructure component invoked by ML pipelines and agents during model training, experiment tracking, and artefact management. Compromise of the Tracking Server enables model poisoning, training data exfiltration, and experiment manipulation -- all of which have downstream effects on model integrity and trustworthiness (RAXE assessment).

Regulatory consideration. Organisations subject to supply chain security requirements (e.g., NIST SP 800-218, EU CRA) should assess whether their MLOps platform components -- including experiment tracking servers -- fall within scope of software supply chain risk management programmes. A compromised Tracking Server could undermine the provenance and integrity of model training records required under the EU AI Act's documentation obligations (RAXE assessment).

13. References

1. CVE-2026-2635 -- NVD Entry, CVSS 9.8 Critical (CVSS v3.0) (NVD)
2. CVE-2026-2033 -- NVD Entry, CVSS 8.1 High (CVSS v3.0) (NVD)
3. ZDI-26-111 -- MLflow Use of Default Password Authentication Bypass (ZDI)
4. ZDI-26-105 -- MLflow Tracking Server Artifact Handler Directory Traversal RCE (ZDI)
5. GitHub PR #19260 -- Fix artifact path traversal vector (GitHub)
6. MLflow on PyPI -- version history (PyPI)
7. EPSS Score for CVE-2026-2635 -- 1.39%, 80.10th percentile (FIRST.org EPSS)
8. EPSS Score for CVE-2026-2033 -- 15.58%, 94.56th percentile (FIRST.org EPSS)
9. MITRE ATLAS: AML.T0053 -- AI Agent Tool Invocation (MITRE ATLAS)