Skip to main content

ClearML CVE-2026-8387

| EUVDEUVD-2026-40957 LOW
Relative Path Traversal (CWE-23)
2026-07-01 @huntr_ai GHSA-mhhg-pjm8-92vh
2.4
CVSS 3.0 · Vendor: huntr_ai

Severity by source

Vendor (huntr_ai) PRIMARY
2.4 LOW
AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
9.0 CRITICAL

Zip slip enables RCE via cron/SSH writes, warranting S:C and C/I/A:H; PR:L reflects typical authenticated ClearML user needed to upload artifacts.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (huntr_ai).

CVSS VectorVendor: huntr_ai

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 14:02 EUVD
Analysis Generated
Jul 01, 2026 - 13:21 vuln.today

DescriptionCVE.org

A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting .zip archives using the ZipFile.extractall() method in StorageManager._extract_to_cache(). This issue arises due to the lack of path traversal validation, enabling an attacker to write arbitrary files to the filesystem. Attack vectors include dataset downloads, artifact downloads, model downloads, and offline session imports. The vulnerability can lead to remote code execution through methods such as cron job injection, SSH key overwrite, or web shell deployment. The issue is resolved in version 2.1.6.

AnalysisAI

Zip slip (relative path traversal) in ClearML's StorageManager._extract_to_cache() allows a network-positioned attacker to write arbitrary files to the host filesystem, with confirmed RCE potential via cron job injection, SSH authorized_keys overwrite, or web shell deployment. Affected are all versions up to and including 1.16.5; the official CVSS score of 2.4 with I:L severely understates the real-world impact given the documented RCE paths. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Upload malicious zip to ClearML-accessible storage
Delivery
Victim ClearML user triggers dataset/model/artifact download
Exploit
StorageManager._extract_to_cache() calls ZipFile.extractall() without path validation
Execution
Traversal sequence writes attacker-controlled file to host filesystem
Persist
Cron job, SSH authorized_keys, or web shell planted
Impact
Attacker executes commands as ClearML service user

Vulnerability AssessmentAI

Exploitation The attacker must be able to supply or substitute a malicious zip archive in one of four ClearML operations: dataset download, artifact download, model download, or offline session import. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official NVD CVSS 3.0 score of 2.4 (AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N) dramatically misrepresents this vulnerability's real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the ability to upload a crafted dataset or model artifact to a ClearML-connected storage backend (S3 bucket, NFS share, or the ClearML server itself) creates a malicious zip file containing an entry with a path such as '../../.ssh/authorized_keys' pointing to their own public key. When a legitimate ClearML user triggers a dataset download or model pull that references this artifact, StorageManager._extract_to_cache() calls ZipFile.extractall() without path validation, writing the attacker's SSH public key into the ClearML service user's authorized_keys file. …
Remediation Upgrade ClearML to version 2.1.6 or later, which resolves the path traversal issue per the confirmed fix commit at https://github.com/allegroai/clearml/commit/4fd611c564256e4f294a6db133705120f203f476. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy