CVE-2026-2635
CRITICAL
GHSA-gq3w-7jj3-x7gr
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.
Analysis
Default password auth bypass in MLflow ML platform. EPSS 1.4%.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all MLflow installations in your environment and isolate them from untrusted networks; disable remote access where possible and enable detailed access logging. Within 7 days: Implement network segmentation to restrict MLflow access to authenticated internal users only; deploy WAF rules to block exploitation attempts; conduct forensic review of access logs for signs of compromise. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today