{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T04:39:09.935","vulnerabilities":[{"cve":{"id":"CVE-2026-2033","sourceIdentifier":"zdi-disclosures@trendmicro.com","published":"2026-02-20T23:16:03.093","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649."},{"lang":"es","value":"Vulnerabilidad de ejecución remota de código por salto de directorio en el gestor de artefactos de MLflow Tracking Server. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de MLflow Tracking Server. No es necesaria la autenticación para explotar esta vulnerabilidad.\n\nLa falla reside en el manejo de las rutas de archivos de artefactos. El problema se debe a la falta de validación adecuada de una ruta proporcionada por el usuario antes de usarla en operaciones de archivo. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto de la cuenta de servicio. Fue ZDI-CAN-26649."}],"metrics":{"cvssMetricV30":[{"source":"zdi-disclosures@trendmicro.com","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"weaknesses":[{"source":"zdi-disclosures@trendmicro.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/mlflow/mlflow/pull/19260","source":"zdi-disclosures@trendmicro.com"},{"url":"https://www.zerodayinitiative.com/advisories/ZDI-26-105/","source":"zdi-disclosures@trendmicro.com"}]}}]}