MLflow Use of Default Password Authentication Bypass Vulnerability

MLflow contains a critical authentication bypass vulnerability (CVE-2026-2635) with a CVSS score of 9.8 that allows unauthenticated remote attackers to gain unauthorized access to affected systems without requiring valid credentials. An attacker can exploit this flaw to compromise the confidentiality, integrity, and availability of MLflow installations and any data or models stored within them. Security teams should immediately patch MLflow systems, prioritize updates for internet-exposed instances, and consider implementing network segmentation or additional access controls until patches are available.