CVE-2026-2635
CRITICAL9.8EPSS 1.5%MLflow Use of Default Password Authentication Bypass Vulnerability
Published: 2/21/2026Modified: 3/17/2026
Description
This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.
Affected packages (1)
- PyPI/mlflowfrom 0, < 3.8.0rc0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-2635
- PATCHhttps://github.com/mlflow/mlflow
- WEBhttps://github.com/mlflow/mlflow/commit/5bf2ec2bd4222a18d78631183ac7f6b752afe8a4
- WEBhttps://github.com/mlflow/mlflow/pull/19260
- WEBhttps://github.com/mlflow/mlflow/releases/tag/v3.8.0rc0
- WEBhttps://www.zerodayinitiative.com/advisories/ZDI-26-111