Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
MLflow Uses Default Password, Leaving Admin Access Unprotected
CVE-2026-2635
Summary
MLflow installations that use default passwords are at risk of being accessed by unauthorized users. This is because the default passwords are hardcoded, allowing anyone to bypass authentication. To fix this, change the default passwords in MLflow to something unique and secure.
Original title
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not re...
Original description
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.
The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.
nvd CVSS3.0
9.8
Vulnerability type
CWE-1393
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026