• Advisory Details MLflow Use of Default Password Authentication Bypass Vulnerability ZDI-26-111ZDI-CAN-28256 This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. • Authentication is not required to exploit this vulnerability. • The specific flaw exists within the basic_auth.ini file. • The file contains hard-coded default credentials. • An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. • 2025-10-14 - Vulnerability reported to vendor 2026-02-19 - Coordinated public release of advisory 2026-02-19 - Advisory Updated General Inquiries Find us on X Find us on Mastodon Media Inquiries Sensitive Email Communications Our Mission TrendAI TippingPoint IPS Process Researcher Rewards FAQS Privacy Published Advisories Upcoming Advisories RSS Feeds

Article Summaries:

  • CVE ID | CVE-2026-2635 | CVSS SCORE | 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | AFFECTED VENDORS | MLflow | AFFECTED PRODUCTS | MLflow | VULNERABILITY DETAILS | This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. | ADDITIONAL DETAILS | MLflow h

Sources: