{"data":{"id":"75b46f6c-5146-4b21-bd5e-da1f79969db0","title":"CVE-2026-2033: MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allo","summary":"MLflow Tracking Server has a directory traversal (a flaw where an attacker uses special path characters like '../' to access files outside intended directories) vulnerability in its artifact file handler that allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability exists because the server doesn't properly validate file paths before using them in operations, letting attackers run code with the permissions of the service account running MLflow.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-2033","publishedAt":"2026-02-20T23:16:03.093Z","cveId":"CVE-2026-2033","cweIds":["CWE-22"],"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.1558,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}