Severity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Zip slip enables RCE via cron/SSH writes, warranting S:C and C/I/A:H; PR:L reflects typical authenticated ClearML user needed to upload artifacts.
Primary rating from Vendor (huntr_ai).
CVSS VectorVendor: huntr_ai
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting .zip archives using the ZipFile.extractall() method in StorageManager._extract_to_cache(). This issue arises due to the lack of path traversal validation, enabling an attacker to write arbitrary files to the filesystem. Attack vectors include dataset downloads, artifact downloads, model downloads, and offline session imports. The vulnerability can lead to remote code execution through methods such as cron job injection, SSH key overwrite, or web shell deployment. The issue is resolved in version 2.1.6.
AnalysisAI
Zip slip (relative path traversal) in ClearML's StorageManager._extract_to_cache() allows a network-positioned attacker to write arbitrary files to the host filesystem, with confirmed RCE potential via cron job injection, SSH authorized_keys overwrite, or web shell deployment. Affected are all versions up to and including 1.16.5; the official CVSS score of 2.4 with I:L severely understates the real-world impact given the documented RCE paths. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to supply or substitute a malicious zip archive in one of four ClearML operations: dataset download, artifact download, model download, or offline session import. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official NVD CVSS 3.0 score of 2.4 (AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N) dramatically misrepresents this vulnerability's real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the ability to upload a crafted dataset or model artifact to a ClearML-connected storage backend (S3 bucket, NFS share, or the ClearML server itself) creates a malicious zip file containing an entry with a path such as '../../.ssh/authorized_keys' pointing to their own public key. When a legitimate ClearML user triggers a dataset download or model pull that references this artifact, StorageManager._extract_to_cache() calls ZipFile.extractall() without path validation, writing the attacker's SSH public key into the ClearML service user's authorized_keys file. … |
| Remediation | Upgrade ClearML to version 2.1.6 or later, which resolves the path traversal issue per the confirmed fix commit at https://github.com/allegroai/clearml/commit/4fd611c564256e4f294a6db133705120f203f476. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40957
GHSA-mhhg-pjm8-92vh